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(54) Title: A SECURE PAY-AS- YOU-USE SYSTEM FOR COMPUTER SOFTWARE 
(57) Abstract 



A method of renting software that relies on the reversal of 
encryption processes by the integration of secure processing into 
the system microprocessor of a user controlled data processing 
system. It consists of protected software objects, that in 
addition to being functionally limited to requires reversal of said 
limitation wbithin the system microprocessor, they also have 
closely integrated mformation about conditions of use. This is 
used to distribute computer software on a large scale that may 
run on any computer. The user is charged on a unit basis. The 
secure processes described for the system microprocessor wit) 
have applications in other secure processes. 
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1 TTTLE OF INVENTION: 

2 A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

3 

4 TECHNICAL FIELD: 

5 Hie distribution of software and other information ieversibly functionally limited, usually by encryption, requiring 

6 reversal by a secure device that may also be used to provide software on a pay-as-you-usc basis. 
7 

8 BACKGROUND TO THE INVENTION AND DESCRIPTION OF THE RELATED ART: 

9 The invention describes a method and apparatus that protects software objects. The protected information cannot be 

10 used without the assistance of one or multiple secret processing devices. Said secret processing devices provide a 

1 1 mechanism for reversing the protection applied to said information and said reversing may only be activated by 

12 certain predetermined secure processes. The process of activating said reversing usually ensures that the producer cf 

1 3 said information and or their agents receive correct payment for usage. 
14 

15 High speed dispersal of information between most computers with access to a modemAelephone line* together with 

16 forthcoming means of staring in excess of ten gigabytes of information an a writable optical disk, is likely to lessen 

17 the commercial value of mformation released in clear code format. One clear code copy in the wrong hands could 

18 result in its effective worldwide dispersal in a short time. 
19 

20 One objective of the invention is to provide a means of maintaining security applied to information during and after 

21 it performs the functions required of it. 

22 

23 The known art describes a means of protecting computer software by requiring the presence of particular devices to 

24 operate properly. These devices are secure to varying extents. Hie problem with computer software is that the 

25 protection applied must be reversed prior to providing the infonnation to the system CPU for processing. Once 

26 reversed it is accessible to those experienced in the art 

27 

28 Known art WO 90/13865 describes a process whereby a secure location remote to a potential user supplies an 

29 encrypted software object to a user controlled data processing system and a secure method of decrypting said 

30 encrypted software object. The software object usually contains information that is continually varying. This 

31 provides security by rfgfamt in that it is a waste of time analysing information that is redundant shortly after its 

32 creation. This known art does not provide effective security against objects that, once downloaded and deciphered, 

33 may be used in perpetuity as is usually the case with computer programs. 
34 

35 Known art described in AU- A- 14856/95 relies on software methods to process the deciphering algorithms used to 

36 reverse functional limitations placed an software objects. Said s oftwar e methods are susceptible to an experienced 

37 person generating usable information from protected software objects reliant on this method. 
38 
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1 The cuncnt invention may be used to sigmfic^ 

2 in WO 90/13865 and or AU- A- 14856/95. It may also be used as a significantly more secure and flexible 

3 replacement for this known an. 
4 

5 Other kriown an calculates (and to 

6 certain values in a secure envirrannenL Said values are passed to an associated computer program and compared 

7 with inteniaUyger^ied values. These 

8 has rjresumably been purchased with the computer program. Said secure eirviroriment is not providing an essential 

9 function absent from said associated computer program, as it is practical to circumvent this protection by 
10 disass em bly of parts of the program to examine the other side of the equation. 

11 

12 The known an describes a oyptoprocessor (US patents 4465901. 4419079. 4278837, 4168396) that is capable of 

13 decirjhermg instructions arid or dam m realtime as it is loaded into the central processing uniL Said mstructions and 

14 or data are usually stored m exictprjered f o^ 

15 controlled data processing system; 

16 • that may variably have one or multiple programs loaded from a potentially large selection and or said programs 

17 may use different decryption parameters; and or 

18 • where the address occupied by a particular program may be different on each occasion it is loaded (said known 

19 an is particularly o^rected at ensuring that an encrypted program will crash with nmor variations to its location 

20 in the address map); and or 

21 * T*°?J5 B . cr mnlti P ,c encrypted programs may need to coexist with clear code programs in a constantly 

22 varying environment; and or 

23 • where it is iiotusuaUy practical to protea 

24 • where an interrupt to an encrypted program may d^rea processing to non-secure methods that may threaten the 

25 secrecy of curiam inform^ 

26 ♦ where an ericrypted program needs to 

27 • where an encrypted program needs to protect its stack from analysis; and or 

28 • where an encrypted program exists as rnuMple modules that are loaded as required and where one cr multiple 

29 modules may use different decryption parameters that need to be dyiiamically changed as program execution 

30 flows be tw een them; and or 

31 • where different programs in a multitasking environment, that may have different decryption parameters, need to 

32 be securely switched on a frequent basis. 
33 

34 The known art describes the programing of software objects into a secure imcrocontroller. This is restricted to a 

35 liniitednurnberofpredef^ 

36 within a user controlled data processing system in conjunction with a secure environment that is not practical to 

37 analyse, wherein said secure environment (that may be a niicroprocessor) includes inaccessible Mormation and also 

38 provides for external software objects, that may be selected and loaded as required firm a potentially large number, 

39 to be able to transfer irmfigang (and or pass any required data) to said inaccessible information within said secure 



Page 2 



WO 97/25675 



PCT/AU97/00010 



1 environment, wherein said secure environment includes computer insmxetians and cr data (including that passed) 

2 which may be processed in secret within said secure environment to perform important functions and or any other 

3 functions thai are absent from said software object and that provides for transfer of processing and or data h ack to 

4 said software object as appropriate; and or provide data that is absent from an external software object when 

5 appropriately req u este d by said software object Said inaccessible information: 

6 • may be preprogrammed into a storage device; and or 

7 • may be greater than the available storage device within said secure environment; and or 

8 • may be d ynamicall y swapped in and out of said Mom f » vii r n i m « Tr; and nr 

9 may be transferred to said secure environment and decrypted within said environment and processed within said 

10 secure environment; and this applies for any of the preceding combinations when said secure environment is part of: 

11 • one or multiple system microprocessors, and or 

12 • one or multiple devices attached directly and or indirectly to the user controlled data processing system, *mri or 

13 • within devices linked via network and or Internet (or equivalent in part or whole). 
14 

15 The known art does not describe any method and apparatus that permits multiple protected software objects, 

16 including those protected: 

17 • by software encryption/decryption alone, and or 

18 • by secure decryption within a secret en vi m u mgn u and or 

19 • by secure decryption and secure execution of the ensuing decrypted information within a secret envi r nm ii*m t 

20 that allows said multiple protected software objects to concurrently and or otherwise execute in a multitasking 

21 or multiuser and or multiprocessor environment (where said multiprocessors may be the same and or different). 
22 

23 One objective of the present invention is to provide a method and apparatus: 

24 • that overcomes part or all of the aforementioned deficiencies in the known art, *mH 

25 • that may be used to support a multiplicity of new methods and ap paratus for distributing computer software, 

26 and 

27 • that may be used to strengthen a number of wfaknpssps with the current an. 
28 

29 The known m describes a mimbcr of software whereby the user pays on 'an as used basis'. 

30 These methods include those protected exclusively by software methods. These usually include various software 

31 clocks that count down on a predetermined basis, and inactivate the program at the appropriate time. Payment is 

32 usually made for the use of a particular object on the terms predetermined. Disadvantage of this method include: 

33 • inherent lack of security; 

34 • the unsecure nature of the protection processes make it unlikely that software vendors will feel comfortable with 

35 the process; 

36 • should software vendors make a large selection of software available, users would usually be required to pay for 

37 access to the full period predetermined for each program, making it unappealing for users to access a large 

38 number of diffe r ent utognuns as required (apart from any trial periods); 

39 • lackofflexiTaliry; 
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1 • user cannot self determine the amount of time required and pay accordingly. 
2 

3 The security of the process far renting software is improved with known art described in WO 90/13865, wherein 

4 there is a secure device within the user controlled data processing system that monitors the time used by a software 

5 object downloaded from a service provider. Details of time used is periodically transferred back to the service 

6 provider. This method requires the user to be on line to receive said software object and to receive the timing 

7 parameters renaming to said software object. The method also requires the user to remain on line for continued 

8 security of the process and to perkxfically upload elapsed time to the service provider. The user would norraaUy be 

9 billed on a predetermined basis for software usage. 
10 

11 The known an does not describe a method and apparatus to provide a secure and secret environment for the secure 

12 recording of usage of more than one program at a time in a multitasking and or multmser and or multiprocessor 
13 

14 

15 The known an does not describe a secure and secret environment that can be securely preprogrammed with a 

16 predetermined amount of usage, whereby said usage: 

17 • is prepaid and or 

18 • is a credit limit far use that will be billed at a latgr rtat r 

19 and 

20 said predetermined amount of usage remains available for an extended period of time (preferably surviving loss of 

22 multiple software objects over said extend 

23 said predetermined amount of usage may be securely updated with additional usage rights as reqm 
24 

25 The known art does not describe a secure axul secret environment that can: 

26 securely record usage of software objects; and or 

27 securely maintain a record of amounts owing to different vendors and or against different software objects, and or 

28 provide a repeat on any basis, mcinriTng ncqy.^ ami & 

29 temporarily or pennanendy disable itself in part or whole should said predetermined amount of usage be 

30 and or 

31 temporarily or permanently disable itself should it fail to receive secure confirmation that rcpons sent to a service 

32 provider have been received, 

33 

34 The known m does XKHdescnTie a n^hod and ap 

35 that include information about their particular billing requirements, whereby said software objects are subsequently 

36 distributed oc a large scale permitting each potential user to use any of the software objects as frequently as they 

37 require and tmly pay for use incurred, said use reducing the amount of usage predetermined within said secure and 

38 secraarviranmenL There is no known method;aml ap 

39 stored within previously released software objects and that which is current, particularly as it applies to billing 

40 information. 
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1 

2 It is another objective of the invention to provide a method and apparatus to overcome, in part or whole, the 

3 aforementioned deficiencies with the known art, and said method and apparatus may also be used for a number of 

4 other described applications. An important objective is the provision of a secure, virtually transparent (to the user) 

5 m et ho d of renting software for use on a user controlled data processing system (UCDPS), on a usage basis, that in 

6 one configuration is independent of any attachment to any devices coupled remotely (eg. telecommunications link) to 

7 the UCDPS. 
8 

9 The method and apparatus described to advance the art of protecting and distributing computer software may also be 

10 adapted in part or whole to the protection and distribution of other commercially valuable mformarion. 

12 DEFINITIONS: 
13 

14 Replication or duplication may be one to many copies and may replication of part or whole in any 

15 combination and or number. 
16 

17 decrypted) and decipher(ed) may be used interchangeably and refer to reversal of a previously applied encryption 

18 proces s . Unless relating to a specific decryption process that is a claim of the invention it may be miw | w rf cd as 

19 being any known method of decryption* 
20 

21 Decode is generally used in the traditional computer sense of rtftoorfmg addresses etc, however, where the context 

22 permits it should be mterpreted as for decrypted.. 
23 

24 Clear text (or clear code) is information that is not encrypted and may be derived from encrypted information and 

25 or may have been supplied in as clear code. 
26 

27 Internal to the System CPU (or System Microprocessor) rndicares that the hardware and or microcode and or 

28 software is on the same integrated circuit substrate; and or that they are on multiple substrates interfacing where 

29 necessary using any known method and apparatus within the package of the system CPU; and or part of the device 

30 is within the system CPU package and part (or all) external to the System CPU package and attached externally to 

31 the System CPU package using any method and apparatus. 
32 

33 A system CPU also referenced as system microprocessor, is one that a person experienced in the art would 

34 consider to be suitable as the primary (or one of multiple primary) processing units in a User Controlled Data 

35 Processing System (UCDPS). 
36 

37 Processing or process refers to the actual execution of computer instructions and or the rnampulanon (in any way) 

38 of data associated with the computer mstrucnons and or rnanipulation (in any way) of any other data. 
39 
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1 Software Object: A software object is that which a person experienced in the art would consider a software object. 

2 Computer programs and or subroutines !hai constitute pan of a computer program are considered software objects. 

3 Data pertaining to said computer programs is a software object. Information that is processed by a UCDPS and 

4 subsequently displayed as ten and or images and or sound for any reason, mrlnrimg as normal output from a 

5 corrn?uter program ami OTelecmm^ visual imagery and 

6 or video in the form of motion pictures is a software object. 
7 

8 PCFU: Within this application reference to a PCPU or Protected CPU refers to Secret Processing Device (SPD) 

9 embedde d within the system microprocessor package of a UCDPS. 
10 

11 ESPD: Reference to an External Secret Processing Device or ESSPD refers to an SPD anached directly or indirectly 

12 to any other pan of the UCDPS. 
13 

14 End of Definitions. 
15 

16 DESCRIPTION OF THE DRAWINGS: 

17 Figure 1 is a diagram of an apparams suitable for use as a secret processing device embedded within the system 

18 microprocessor. 

19 Figure 2 is a diagram of basic embodimcm of an SPD to use external to the system microprocessor. 

20 Figure 3 is a diagram of the address map for secure functions within the system microprocessor. 

21 Figure 4 is a diagram tif m i m n^iirl pnrt cmir^yy* 

22 

23 DESCRIPTION OF THE INVENTION: 
24 

25 A SECURE PAY-AS- YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

26 The invention describes a method and apparatus for the protection of software against piracy and provides a secure 

27 Process for the mass distribution of software. This is done by functionally limiting a software object and securely 

28 linking it with conditions of use and object support information to create a Protected Software Object (or PSO) 

29 winch must be used with a Secret Processing Device (or SPD) that is directly or indirectly attached to a User 

30 Controlled r^Pnx^ (orUODPS). This prov^ 

31 software. The rxefer^ 

32 of the User Controlled Data Processing System where to 

33 The following describes those aspects considered essential tn a fall im ptf>f W nt flt j fni <rf fte invention. 

34 1) a method of distributing software objects from a producer to a potential umt ^mi|n ivi n g T hr method steps of: 

35 i) providing a secret Txocessing device (or SPD^ for direct and nr inrim^t .na^nt ^ a UCDPS whereby Slid SPD 

36 is any one or mul t iple hardware devices that may use any combination of software and or microcode and or any 

37 other method to provide a secure and secret environment for recessing infatuation and or storing reformation and 

38 that provides the following: 

39 a) any one or multiple methods and or apparatus than 
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1 securely decrypt and c a sern e instructions and or securely decrypt and process data that complies with part or all of 

2 the requirements of reversing functional limitations applied using the Oscar method (described later); and or 

3 reverses the functional limitations applied using the Groover method (described later); and or reverses any other 

4 functional limitations applying to aPSO; and or transfer into the SPD any part of one or multiple PSOs into the SPD 

5 that may be necessary to provide any of the functions required by said PSOs; and or access any pan of one or 

6 multiple PSOs that may be located external to the SPD in order to provide any of the functions required by said 

7 PSOs; and or examine the generic and or distinct conditions of use linked to a particular PSO, and or determine a 

8 response to said conditions of use; and or respond to paid conditions of use; 

9 and or 

10 b)may be embedded, m pan or whole, withmu^ 

11 be within any one or multiple devices attached directly and or indirectly to the system microprocessor and or the 

12 UCDPS, and may not disrupt the normal functions of the UCDPS and may in pan or whole be used as pan of an 

13 application that in pan or whole is dependent on connection to a distributed data processing system, that may be cf 

14 any type, including local networks and or intranet (or similar) and or the Internet (or similar), and may benefit from 

15 c on nection to one or multiple remote computers and or any other devices to simplify txaxismission of various 

16 informatiosu however, said secure and secret processing functions, in pan or whole, are functional and or T **TT , ** 1T *l 

17 functional, when said UCDPS that has been provided with said secure and secret processing functions, is used as a 

18 standalone unit independendy of attachment to remote devices, and said UCDPS may be switched on and off for 

19 variable periods of time and or moved to different locations and or reset as frequently as required, without affecting 

20 the functions that are provided to said UCDPS; 

21 and or 

22 c) provides an area of secure memory storage devices that is not practical to analyse; 

23 and or 

24 d) provides for partition of secure memory storage devices into one or multiple secure system partitions »»d one or 

25 multiple user partitions whereby programs in system partitions may access user partitions, however, a user partition 

26 may not access a system partition unless authorised, and or any particular user partition may not access any other 

27 user partition unless authorised; 

28 and or 

29 e) may transfer pan or all of protected software objects and or any other softwaie object from unsecure to s e cur e 

30 loc - Aitos for processing and or transfer information from a secure location to an unsecure location; gnrf or 

31 i) may securely decrypt pan or all of decrypted parts of protected software objects and or any other encrypted 

32 information within said secure locations; 

33 and or 

34 g) may process pan or all of one or multiple protected software nhjecrg m samry, inHnrimg p i t M ayi n g of pan or all 

35 of that informatkm loaded in encrypted format and decrypted; 

36 and or 

37 h) are programs and or data pi epiogt nnimfd into the device and or transferred in en cr yp te d format <™i or in p \*ii r 

38 code, that assist and or replace any other known software protection and or distribution systems that are ^["^rr" 

39 in pan or whole on user accessible software processes and or unsecure identifying codes to provide p ro te c ti on 

40 against unauthorised use of software objects, when pan or all of said user accessible software processes and or 
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1 unsecure identifying codes are transferred (either by preprogramming and or dynamically as required) to a secure 

2 location mat permits private processing of the information; 

3 and or 

4 i) have the capacity to detect whether part or all erf said suitably configured protected software objects have been 

5 tampered with; 

6 and on 

7 j) may perform secret encryption and or seem decryption in a manner thai cannot be analysed, and this may be a 

8 software and or hardware function; 

9 and or 

10 k) have the capacity to rmplrrnent in pan or whole, one or multiple hardware devices in progranunable logic. 

11 P^eri^ programme 

12 and cr decryption functions inrplemenied in pan or whole in hardware, and hardware ftmctions iinplemented in 

13 programmable logic may be o>iiarnically programmed by one or rnultiple protected software objects; 

14 and or 

15 Ornayuseanynteth^ 

16 said attempt may be physical and or logical analysis, and the response may be any action, using any method. 

17 inciudmgdisab^ 

18 of the secret infonrianonthat may be stored withm secure memory 

19 and or 

20 m) may securely store irifarrnation in encrypted and or clear code format in locations inaccessible to unantriorised 

21 parties and or securely store infomiation in encrypted format in locations that may be accessible to ^mh^H 

22 parties, and may detect tampering with stored mforrnation; 

23 and or 

24 n)inayhavethecaparitytos 

25 and or 

26 o)rnay securely recoid to 

27 of the usage onaproducerarri^ 

28 and or 

29 p) may request and or compel (this may include tenrrxjrarily erf pernianently disabling pan at least of the SPD) the 

30 user of tteUCDPS to provide^ 

31 and or 

32 q) may confirm that said reports have bemrecdved as required; 

33 and or 

34 r) does not require mfxiifiraticm of the User Cenrjolled Data Prtxassing System operating system; 

35 and or 

36 s)maync<reqirircsrxcialnmtir^ 

37 and or 

38 t) may identify the type of^ protected software object and act as required; 

39 and or 

40 u) provides or have access to one or uniltrple tamperproof, non- volatile source of time and or date; 
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1 and or 

2 v) provides or have access to one or multiple t am p erp r o of timers; 

3 and or 

4 w) provides one or multiple methods of identifying ai least erne taiupeum xtf gnvi mmmfn t, this may tnriwH^ the use of 

5 an electronic signature; 

6 and or 

7 x) provides one or multiple secret codes and or programs that are unique to a particular SPD and or that are common 

8 across particular groups of SPDs; 

9 and or 

10 y) provides one or multiple programs, that may be preprogrammed (into the SPD) and or transferred (into the SPD) 

11 as required, that use secret information unique to the SPD to decrypt software objects; 

12 and or 

13 z) may process multiple protected software objects in a multitasking environment, this may be transparent to the 

14 UCDPS operating system; 

15 and or 

16 aa) include functions, preferably implemented in reprogrammable secure memory, that may be edited and or 

17 modified and cr deleted and or expanded and or in any other way altered, in a secure manner and usually 

18 transparently to the user of the UCDPS, enabling appropriately configured PSO(s) to adapt the secure infonnarion in 

19 the SPD for any purpose, inc l u di ng : making multiple SPDs identical in part at least (including rnntyqiif pcPUs in a 

20 multiprocessor system); and or create one or mnltiple applications not currently available to the SPD; and or that 

21 permits any current application to be dynamically adapted, including dynamically reprogramming various hardware 

22 functions implemented in pan or whole with reprogrammable logic connections; and or dynamically modifying 

23 decryption processes; 

24 and or 

25 ab) are programs and or data preprogrammed into the device and or transferred in encrypted format and or in clear 

26 code that assist any function described for the correct processing of protected software objects; 

27 and or 

28 ac) inclu d e secure memory that stores various internal system routines and may be loaded with externally supplied 

29 objects for decryption and or execution and or any other purpose; 

30 and or 

31 ad) may de cide to reverse one or multiple functional limitations on one or multiple PSOs based on said conditions of 

32 use, where said decide is in pan at least autonomous to the SPD and based in pan at least, on secure j" »^ ^i" g 

33 internal and or external to the SPD of generic information applicable to multiple PSOs, that may a plurality 

34 of any information states within and or external to the SPD, including one or multiple dectronic credits that is 

35 modified (direcUy or mdirecdy)m respond 

36 long as the requirements of one or multiple PSOs and or SPDs are complied with, the user of said UCDPS may be 

37 able to execute and or process one or multiple PSOs on the same basis as if they were unprotected software objects; 
38 

39 ii) providing a software object; 
40 
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1 iii) modifying pan car ail of said software object such that it is functionally limited to ran on only a UCDPS fim^ 

2 with a SPD and or equivalent and the functional limitation is by the Oscar method as defined below and or by the 

3 Groover method as defined below and or by any other method and said functional limitation may be of one or 

4 multiple e ssential parts of the software object, preferably such that it is not practical to regenerate the original 

5 software object from any pans thai are not functionally limited, and said inodifying is preferably done at a secure 

6 location (also referenced as a servte 

7 the SFD andfor any TOTicutoiuixmonally limited software object the functional limitation may only be reversed an 

8 a specific SPD with any unique characteristics necessary to reverse the functional limitation, cr die functional 

9 limit at i on may be reversed at a plurality of SPDs characterised by common characteristics necessary to reverse the 

10 functional limitation; and or 



1 



2 niaiifyingpmaraUtf 

3 any method, to one cr multiple conditions of use, also referenced as PCPU Inclusion rnmm^ (or pjcx that in 
14 part or whole are tamperproof and that include any code that directly or indirectly identifies the producer of the 

software object and or ideiuifies the scAware oty^ 

6 record use of that particular software object and or use of PSOs by a reticular producer and or use on any other 

7 basis, in pan or whole, where the record of use in pan or whole is used in determining remuneration to the producer 

8 and or any other parties; and or the conditions of use include any code that contains rnformation which may be used 

9 by the SPD to determine if the software object: 
20 

21 is permitted to execute in part or whole, on a units of time used basis, and if permitted, what fee should be applied 

22 for the use of the software object and said fee may be any unit of measurement and is preferably a generic units of 

23 use basis and said generic units may be attributed any real currency value at any stage; 

24 and or 

25 is permitted to execute in part or whole on an events occurring basis, for example the number of times one or 

26 multiple parts of the program are loaded arid or executed and or any oto 

27 what fee should be applied for the use of the software object and said fee may be any unit of measurement and is 

28 preferably a generic units of use basis and said generic units may be attributed any real currency value at any stage; 

29 and or 

30 is permitted to execute on an unlimited basis subject to a fee, and if permitted, what fee should be applied for the use 

31 tte software objea and said fee may be any um^ 

32 said generic units may be attributed any real currency value at any stage; 

33 and or 

34 is permitted to execute on any type Umited basis subject to a fee, and if permitted, what fee should be applied for 

35 the use of the software object and said fee may be any unit of measurement and is preferably a generic units of use 

36 basis and said generic units may be attributed any real airrency value at any stage; 

37 and or 

38 requires entry of one or multiple data keys of any type prior to initiating use of pan or all of the software object for 

39 the first and or any other time on a particular SPD and may include whether or not a fee is to be charged for 

40 providing the dam key; 
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1 and or 

2 requires any other restrictions to be placed on use; 

3 and 

4 any software object modified in part or whole as described is referred to as a Prelected Software Object (or PSO); 

5 said Oscar method, is any functional limi tat ion of pan or all of a software object by any method of encryption, 

6 usually at a secure location remote to the user, where part or all of the reversal of the encrypted information, by 

7 decryption and or any other m et ho d, occurs within a secure environment directly and or indirectly gttnri^ to a 

8 UCDPS such that part or all of the iiismictions and or data of the software object reconstituted by said reversal are 

9 not accessible to analysis by any unauthorised party and the execution of part or all of said instructions and or the 

10 processing (using any method) of part or all of said data that is not accessible to analysis by an unauthorised party 

1 1 remains in part or whole inaccessible to analysis by any uTMythnriyd parry* The result is that part at least of the 

12 functional limitation placed on a software object is not compromised by the process of using said software object; 

13 said Groover method is any functional limitation of part or all of a software object by deletion of part or all of the 

14 information within the software object, usually at a secure location remote to the user, where part or all of the 

15 reversal of the deletion, by any method, occurs within a secure environment directly and or indirectly m*r)*<rt to a 

16 UCDPS such that part or all of the instructions and or data of the software object reconstituted by said reversal are 

17 not accessible to analysis by any unauthorised party and the execution of part or all of said instructions and or the 

18 processing (using any method) of part or all of said data that is not accessible to analysis by an unauthorised party 

19 remains in part or whole inaccessible to analysis by any unauthorised party. The result is that part at least of die 

20 functional limitation placed on a software object is not compromised by the process of using «yd software object; 
21 

22 iv) providing one or multiple PSOs onto computer-accessible memory media *>nH or any suitable apparatus for 

23 electronically transferring said PSOs to a potential user, and preferably the conditions of use attached to said one or 

24 multiple PSOs permit said PSOs to be used on a time or events used basis in a UCDPS suitably equipped with a 

25 SPD that has sufficient aforementioned units of measurement stored within and or securely accessible; 
26 

27 v) shipping said one or multiple PSOs on cf>mpnt<»r-ftPf^^fr| P memory media to a potential user and or 

28 electronically transferring said one or multiple PSOs; 
29 

30 vfl loading said one or multiple PSOs into a I JTPPS and wpnT T mg »« pgrmiftftH fry ^rfit jm^ r>f}\<?r 
31 

32 vii) where required by the conditions of use or any other reason, a means for the user to: 

33 • request the supply of one or multiple units of measurement that may be required by the SPD for any purpose, 

34 and or 

35 • receive one or multiple said units of measurement, preferably in suitably encrypted format, lhQt may use any 

36 method . and transfer said units of m ea s u rement into the SPD t mrf nr *mwa\\\* \t\ ^ $pp apfl & 

37 • request the supply of one or multiple dmkeys thm may be required by the SPD t and or 

38 • receive one or multiple data keys and transfer said data keys into the SPD, and or accessible to the SPD, wring 

39 any method, and or 
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1 • generate one or multiple reports erf software usage and a- any other informatkm that may be required, and 

2 supply said reports to service provider and or any other external location, as required, and or 

3 • receive one or multiple codes confinning that said report has been received and supply said one or multiple 

4 codes confirming into the SPD and or accessible to the SFD 9 and or 

5 • request the service provider and or any other authorised party for one or multiple codes that may be used to 

6 reactivate pan or all of the SPD that may have been disabled for any reason 

7 • receive one or multiple codes to reactivate pm or aU of ihcSTO mat niayha^ 

8 transfer said codes into the SPD, and or accessible to the SPD and 

9 for any of the preceding, the iirformatim generated by the UCDPS and or received from the service provider is 

10 preferably transferred decmmically, however, any other cQmbmation of methods may be used including mailing of 

1 1 computer-accessible memory media containing the inf bnnation. 
12 

13 

14 PREFERRED IMPLEMENTATION OF THE INVENTION: 

15 To assist with uiiderstanding the invention, reference will now be made to the accompanying drawings which show 

16 one example of the mvention. In the drawings. Figure 1 shows an apparatus that is suitable for use as a secret 

17 pr o c ming device e mb ed de d within the system microprocessor. 
18 

19 Hiroughout this description and the acconmanying drawings, many signal lines are represented by a single line and 

20 an identifying symbol. This may represent any number of signals, for example, a certain logic function output may 

21 dock, cleanand set aflip flop, however, usually only one.signal lme,wm,be show^ 

22 of various buses, the mies represent whatever number of signals constitute said bus or whatever subset of said bus is 

23 relevant for the logic functions it may be entering or leaving. Many control lines are not described or shown in this 

24 description as it win be obvious to anyone experienced in the art, where, when, and how, they should be used in 

25 order to make functional any apparatus described; descriptions are detailed when needed to help clarify the 

26 i mplfjnffnt ation of any particular function. Throughout this description- the polarity of signals i* usually it^T ^ t ^j ni 

27 and not discussed unless of specific am^^ 

28 mvention. When a latch or other device is set or cleared the alternative arrangement is allowed for. While a * atch or 

29 register is a commonly used storage device in parts of this description, 

30 combination of logic and or software and or microcode that results in a «mrii*r outcome. 

31 The invention describes: 

32 1 . a method of reversibly functionally limiting a software object that requires a secret processing device (or SPD) to 

33 reverse part or all of the functions of the reversible functional imrnntims and preferably includes a method <tf 

34 securely linking the conditions of use that apply to a particular reversibly functionally limited software object to said 

35 reversibly functionally limited software object such that this information may be used in part or whole to determine 

36 whether to permit the SPD to reverse the reversibly functionally limited software object. The conditions of use are 

37 preferably an integral part of the reversibly fimctionally limited software object and or supplied as one or multiple 

38 other modules that are linked in a manner that prevents die unauthorised separation of ranf^™™? of use and 

39 reversibly functionally limited software object. This produces a protected software object (or PSO) which may be 

40 distributed to a potential user and loaded onto a UCDPS and includes instructions to the SPD on how it may be 
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1 distributed to a potential user and loaded onto a UCDPS and includes instructions to the SPD on how it may be 

2 used. This permits objects to be widely distributed and used on stand alone UCDPSs conditional on the SPD that is 

3 required to reverse, in pan at least, the reversible functional limitations, complying with the conditions of use. The 

4 conditions of use may also be supplied in any other way, eg. as separate modules and may be loaded, or otherwise 

5 linked, into an SPD uauspuiemly to the operating system of the UC33PS or by usmg said operating s 
6 

7 When a PSO is securely linked with conditions of use it may be used on a UCDPS equipped with an SPD without 

8 any extra intervention by die user than would normally be required for the protected object in its native software 

9 object form, with the exception of any requirements thai the SPD requires of the user. 
10 

11 2. an apparatus referenced as an SPD that has various secure system functions that allow it to interact correctly with 

12 one or multiple reversibly functionally limited software object prepared for use with one or multiple SPDs. The SPD 

13 includes an internal secure and secret operating system referred to as secure system fractions. They interact in any 

14 way required to appropriately reverse in part or whole, reversibly functionally software objects. The secure 

15 functions of the SPD may have other applications, 
16 

17 The preferred embodiment of an SPD is included within the package of the system microprocessor, such a 

18 combination may be referred to as a protected CPU (or PCPU). An SPD may be directly and or indirectly attached to 

19 the UCDPS external to the package of the system microprocessor; this is ^ ^ ^^ 1 as an ESPD. A PCPU may 

20 include multiple system microprocessors. There may be multiple PCPUs within a UCDPS. There may be multiple 

2 1 ESPDs within a UCDPS. Multiple SPDs in any location may interact in any way and combination with any others 

22 or not at alL The embodiment of a system microprocessor to implement the apparatus of the invention is 

23 predominantly dependent on the use of secure memory storage devices of various types and an ability to securely 

24 process information within these devices and a person experienced in the art win be able to arrange logic, software 

25 and microcode in many combinations to effect versions of an SPD and PSO that are within the spirit of the 

26 invention. This arrangement permits the secure functions required of the present invention to be implemented. A 

27 person knowiedgable in the art will appreciate that the secure processes used far the invention may have multiple 

28 other secure applications. The known an does not describe a system microprocessor suitable for use in a UCDPS 

29 that provides the secure processing functions described in this embodiment. The invention allows for any system 

30 microprocessor that provides the apparatus and or functions described in the application. 
31 

32 Figure 1 shows a block diagram of a system micio^ocessor thai may cnmmimt^ with a smrrp microprocessor 

33 that is securely liriked to one or rn^ 

34 secure functions. When the secure memory is programmed with appropriate information, the combination <f 

35 software routines and embedded hardware functions and changes to the microcode of the system microprocessor 

36 provides all of the requirements of an SFD securely embedded within the system microprocessor package. This 

37 device may be used to replace the existing system microprocessor in a UCDPS and, subject to being supplied with 

38 any information required to meet the conditions of use attached to a PSO, may execute that PSO as if it were a 

39 normal software object. It will be armredated by u^ose experienced m 

40 logic, software and microcode to tmpiwwnt the device as described. 
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2 Figure 1 shows the silicon chip 130 of the system microprocessor 1. The system microprocessor l normally 

3 interfaces with external locations via an address bus 5 and address buffers 2 and dam bus 6 and dam buffers 3 and 

4 various control logic 7 via buffers 4. Buffers 2, 3 and 4 are enabled/disabled during normal processing by system 

5 rmcxoprocessor 1 via control line 9. Instruction are rntapreted 

6 and logical devices within the instruction execution block 8. located within system rmcroprocessor 1. The apparatus 

7 of the invention needs to comtrjunicaie with the system microprocessor 1 and this is most rratiiy hnpiwn^H ^ th 

8 dual port memory 19, a memory that allows read and write accesses by two devices to the same addresses on an 

9 asynchronous basis. There are many ways of achieving an equivalent result. As described in this embodiment the 

10 DP memory 19 is not intended to store secure information; it is functioning as a port between unsecure and secure 

11 processes and it is not practical for an unauthoris^perscoroaccm secure 

12 The invention allows for the recording of failed attempts at access and may disable itself to prevent repeated 

13 attempts to compromise secure elements. 
14 

15 The system nucroprocessor side of the DP memory 90 may be decoded into the normal address space of the UCDPS, 

16 using any known decoding apparatus, however, the p ie fe iie d method is to make the addresses occupied by the 90 

17 sideof ttednalpmrnemcry 19 a separate address space to the UCDPS. This is done by providing an instruction, 

18 nrferencedasatransrarmacM 

19 functions. 
20 

21 The primary interaction of the system nucroprocessor 1 to dual port memory 19 will be to read and write data 

22 between UCDPS addresses and dual port iriemory 19 for transfer into secure functions 50 by the secure 

23 rnicroproccssor 20 and the reverse. There may also be a requirement to transfer data from one location to another 

24 within the dual port memory 19. The address space occupied by the dual port memory may be any practical amount. 

25 Reset of the system microprocessor 1 initialises normal address decoding, with the dual port memory 19 

26 in accessible by the system microprocessor 1 . 
27 

28 The execution of a TAA instruction, with for example X as the opcode, and the combination referenced as TAAX. is 

29 carried out if the system microprocessor 1 wants to move mformation from UCDPS memory to dual port memory 

30 19,mwmchcasebuffeis2,3.4wouMbeaa 

31 a write operation the address decoder enable signal 11 is active, enabling the address decoder 10 to decode a 

32 predeterrnined address block (that may be made rjrogrammable) of dual port memory 19 using chip select 13, that 

33 also keeps the buffers 2. 3, 4 disabled by blocking any enabling effect of 9 via logic gate 14. Data is read from 

34 UCEPSniemory space and wrirten to dual poitmemo^ Instruction TAAY performs the reverse by activating 11 

35 during read operations. Instruction TAAZ activates 11 for reading and writing. TAAB disables 11 for all reading 

36 and writing, the normal situation. The TAA instruction only affects operations that are fetching data, not 

37 instructions, and most system microprocessors nave a signal to distinguish between the two. An instruction 

38 referenced as the TBAX instruction may be used to activate instruction fetches from dual part memory 19. by 

39 activating 11 during instruction fetches and may be disabled by the TBAY m^ry^m Instructions are read 

40 operations. TAA and TBA instructions may be used in any combination. A reset has the same effect as TAAB & 
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1 TBAY, ensuring normal processing on startup. While TB AX is active, instruction fetches from addresses outside the 

2 dual dot memory 19 are from UCDPS memory. A watchdog counter or timer may be set, and this may be automatic 

3 to perform an automatic TB A Y instruction or any other method to avoid trapping the system microprocessor in rfnai 

4 port memory 19. 
5 

6 This method and apparatus provides a novel transparent method of mchwtiwg one or multiple devices within a 

7 system microprocessor without potentially conflicting with existing resources in a UCDPS and has multiple 

8 applications to the art of system zmcxDprocessor design. To avoid problems with interrupts directing processing to 

9 another routine that expects a normal environment, interrupts are inhibited by TAA and TBA instruction. An 

10 alternative allows for similar instructions that do not inhibit mterrupts, allowing the interrupt handler and or task 

11 switcher to handle the situ at ion , in which case the TAA and TAB instructions are disabled by an interrupt and a 

1 2 record of their status is stored in a location, eg. a special register, accessible by the system operating system. 
13 

14 Secure processing is provided by including a second microprocessor 20 within 130 that may read and write to 

15 addresses within the secure address map 50 without being available to external analysis. Secure address block 50 is 

16 pre domin a n tly memory, divided into a small amount of mask ROM 51 to initially program the other information 

17 into the device, flash memory 52 for storage of information that needs to remain in the device in the event of total 

18 power loss, and battery backed static memory 53, mat stores important information which may be rapidly erased in 

19 the event of tampering. The microprocessor 20 commrmicates with the secure memory 50 via address lines 84, data 

20 lines 100, and other various control lines mcfnding read write 93. Also decoded within the secure memory address is 

21 a battery backed realtime dock and or calendar 89 that cannot be tampered with and a crystal. A data erjcryptxon 

22 standard engine is preferably included. Decoding of secure addresses is provided by decode logic 25 and the various 

23 chip select signal are output on 83 to the various secure devices. The power management logic 65 receives external 

24 power on 60 and battery power on 87 from (preferably rechargeable) battery 70. An A/D converter 75 monitors 

25 voltage. Continuous power is supplied to 50 via 87. Power management 65 may also be used for any aAiitirmfti 

26 voltages to flash memory 52, other battery backed logic and provides recharging power to the internal battery 70. 

27 The microprocesor 20 communicates with the system microprocessor 1 via a dual port memory 19. The 

28 microprocessor 20 side 91 of dual port rnemory 19 is decoded by 25 via 40. Data lines 22, address lines 21 and read 

29 write 23 c onn ec t with 19 to allow reads and writes of information between microprocessor 20 and dual port memory 

30 19. A similar me t hod allows the system microprocessor to a nimnmicm r with dual port memory via chip select 13 

31 from its decode logic 10 arid address lines 14 and 6. Trie decofe circuit 10 uses high order address lines 12 and 

32 control lines 32 (e.g.valid address) and 11 (activated by TAA, TBA). This provides a method of transferring 

33 information to and from extermal locations to dual port memory 19 that may be read and written by microprocessor 

34 20. No user supplied program can access the information in secure memory without access to the secret codes 

35 required, and these may be made as complex as secure memory resources allow. 
36 

37 It is preferable that the secure microprocessor includes a direct memory access (DMA) facility to move blocks of 

38 mfonnatkm from UCDPS memory directly into secure memory locations and or from secure memory to fgtmwt 

39 locations. This may actually improve the efficiency of the original system rmcroprocessor, permitting it to perform 

40 other tasks while a block of information is securely processed in internal memory. Access to this DMA facility 
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1 should be decoded imo the secure function address block and should only be able to be seleaed by an instruction 

2 originaring within secure system functions (as described later). Any possibility of an external program and or a 

3 program executing in a user partition having misupervised access to tbe DMA controller 125 that nay be 

4 programmed to move a large block of system information to external locations would be disastrous 
5 

6 Themicrorffocessor 20 would usually program the DMA controller 125 via daa bus 100 arid chip select 142 and 

7 read/write 102. using a routine known to have originated within one or multiple predetenmned system functions. 

8 The details of including a DMA controller 125 are not described or shown. The method involves multiplexing the 

9 address 5, data 6 and control lines 7 of the system rracroprocessor 1. with similar signals generated by the DMA 

10 controller 125 to read or write external locations and multiplexing of tbe address, data, and control lines of 

11 microprtx^ssor 20 to readme write 

12 oanroller is within the system rmcroprocessor chip, arbitration logic between system rrncroprocessor 1 and DMA 

13 controller 125 woiild be easier to impleinem at a logical level than for « DMA controllers. This type of DMA 

14 is transparent to external devices. 
15 

16 The mveiinon also auowsfoattte 

17 very powerful processing system, allowing secure and unsecure execution to proceed concurrently. Another 

18 attractive option is to use two different system microprocessors e.g. an Intel type of CPU and a Motorola type of 

19 CPU. These may be multiplexed by one experienced m tb* m such 

20 svstemfuiictions white the oto 

21 aCtivattd ™ ™ ay - c *- ICSM low ; ""y Proles. The secure functions may be duplicated, in part or 

22 whole, or each may haw its own secure functions that are inactivated when a system microprocessor becomes the 

23 unsecure processor. A switch from secure processing to unsecure processing preferably ensures that any potentially 

24 secret information is flushed from CPU registers and any other locations that may become accessible to external 

25 analysis in the unsecure state. All secure functions would usually be inaccessible to the system microprocessor in 

26 unsecure mode. A person knowledgable in the art should be able to design such an erribodimeni that performs to the 

27 requirements of the invention. This provides a convenim means of providing an existing UCDPS with a means of 

28 integrating two different UCDPSs into one. Of course this scenario might be expanded to any number of system 

29 irucroprocessors within the one package. When multiple system rnicroprocessors are included in the one package, 

30 theonethatisrHHrnaUyassaaatedwimtte 

31 referenced in this abdication as the Host CPU. Any other system microprocessors are referenced as a Grafted CPU. 

32 No changes would usually be required to any software to operate the Host CPU, however, other support may be 

33 reqturedtosirriulatetfaec^ 

34 address trap fwttegraf^ system mi 
35 

36 It will be appreciated by those experienced in the art that the embodiment described with reference to Figure 1 may 

37 be readily transferred to a location enemal to the system snexoprocessor by providing a secure r~*«E» and 

38 replacing the rransparent address space of the version within the PCPU with an appropriate address within the 

39 UCDPS address space. 
40 
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1 A basic embodiment of an SPD for use external to the system microprocessor is described with reference to Figure 2 

2 of the drawings showing a printed circuit board 700 that is capable of connecting with an appropriate socket on the 

3 bus expansion of a UCDPS 720 via the gold fingers 701 on the printed circuit board 700. Mounted onto PCB 700 

4 are an address de co de r 702 to receive address signals from the address bus of the UCDPS 721 and various control 

5 lines 722 that it uses to decode the UCDPS side of the dual port memory 704 to a suitable address location in the 

6 address map of the UCDPS using drip select line 712. The lower order address lines 723 of the UCDPS together 

7 with UCDPS data bus signals 724 and a read/write signal 725 pass from the UCDPS bus via buffer 703 to the 

8 UCDPS side of the dual port memory 704 via signal lines 713.The part of 703 that buffers the ***** lines is 

9 b i di r ec tion al. A microprocessor 707 includes two interrupt lines 730 and 731 and an « Tf™a * address bus 714 and 

10 a valid address signal 733 and a bidirectional data bus 715 and a read/write line 732 and internal programmable 

11 non-volatile memory 708 (eg. flash memory) and a boot routine 735 to load infonnation into non-volatile memory 

12 708. A static RAM chip 709 is connected to micropr o cessor 707 low order address lines of address bus 714 and the 

13 data bus 715 and read/write line 732. Static RAM 709 is acnvaied by chip select 740 that is created by the address 

14 decoder 705 decoding the high order address lines on address bus 714 in conjunction with valid address signal 733. 

15 When static RAM 709 is selected the microprocesor 707 may read and write date to and from 709. The 

16 microprocesor 707 side of the dual port memory 704 is attached directly to the 707 data bus 715 and read/write line 

17 732 and low order address lines of address bus 714. The rnicroprocessor 707 side of the dual port memory is 

18 activated far read and write operanens by chip select 750 generated by address decoder 705, from high order address 

19 lines on the address bus 714 and the valid address signal 733. A rechargeable battery 710 is included provicfing 

20 backup power via 7 1 1 to the rnicroprocessor 707 and the static memory 709. When the the board 700 is plugged into 

21 an active UCDPS, the battery 710 is recharged from the system power supply. Microswitch 712 connects to interrupt 

22 line 730 causing an interrupt when the tamperproof enclosure 716 is disrupted. The tarnperproof housing 716 

23 securely encloses 710, 707, 709, 705, 704. 712, and all signal lines that may provide useful information. Interrupt 

24 line 731 causes an interrupt to 707 when ths address decoder 702 decodes any address within the dual port memory, 

25 indicating that the external system microprocessor is accessing the device and that action may be required by 

26 microprocessor 707. The microprocessor 707 is normally in low power sleep mode. If awakened by interrupt 730 it 

27 immediately sequentially erases the values stored within SRAM 709 using a routine pp|iii>gimw»^ into 707 prior 

28 to enclosure in 716. If awakened by 732 it oontirmes processing as required. The SPD as described may be 

29 integrated into a single chip. A person Mp w ii^ml in the art would be able to adapt mis design to att ^t> the SPD to 

30 any suitable non-bus interface. A suitable location may be the parallel port on a shared basis with the printer; the 

31 known art for other types of software protection devices describes such a shared mtrrfacft The inclusion of a 

32 cryptoengine iinplemented in hardware would enhance decryption processes that are fundamental to the secure and 

33 versatile functions provided by an SPD, 
34 

35 Figure 3 shows a block diagram of the address map for secure functions within the system microprocessor 

36 package/die 130 of Figure 1. These secure functions may only be addressed by the secure microprocessor 20 and 

37 may not be ac c e ss e d by external programs other than said programs providing mformation that is usually 

38 subject to validity checks and decryption before arrrpranre by the secure microprocessor 20 far further processing. 

39 Tne address decoder 25 decodes a battery backed real time clock calendar 89 with chip select 140, DMA controller 

40 125 with chip select 142, Data Encryption Standard Engine 135 with chip select 143, and if the DES engine is 
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1 constructed in part or whole from programmable logic devices (preferably SRAM, that may be battery backed if 

2 non-volatiliry is required) that are dynamically programmed as required, these devices are selected by select line 

3 141, tamper detect 80 (preferably including a ccminually powered simple rmcrocoaroller to provide continuous 

4 security momtoring) selected by 144, A/D convener 75 by select line 145, power management 65 by select 146 The 

5 precede device would usuaUy have fixed kx^ 

6 the chip selects 140.141.142.143,144.145.146. and any other additional select lines that may be included to access 

7 other secure devices, rmyc^y be selected tf 

8 chip selects origmates from ^ 

9 to area from mm-system (user) programs - 

10 first address of an mstruction ^ coinpare u wim an adoress blc<i that d^ 

11 mexnery 147. This address blcck is preferably p^g^ 

12 however, there will be a known default on reset of the secure rnicroprocessor 20. As an added precaution it is 

13 preferable to latch the first address of the preceding instruction and do a similar comparison. This requires any 

14 instruction that attempts access to secure functions in this part of the address map to have origmated in secure 

15 system toar^aiuJ the irrnnjetion 

16 a program that may be executing witnm a seem; user partition from acridemally or deliberately loading me program 

17 onmter of the secure imcroprocessorM with unpredictable results. The 

18 address of the first instruction may be deterrnined by including in the microcode of secure rnicroprccessor 20 the 

19 generation of a signal to indicate that it is the first address of the instruction (this may already be the case). The 

20 program counter contents may also be latched. Chip select 147 from decoder 25 delineates the block of memory 

21 anocated to secure system fui 1 c^ 

22 in tins memory, the size erf dns memory is preferably variable to accommodate changing circnnistances. This is 

23 usuaUy done by prograrnmable boundary 161. One boundary is usually 

24 fixed at the top of the available address space. The prograrnmed value of 160 is supplied to address decode 25 and 

25 provided to its address ammarators. These methods arc well known to tne aru Chip select 161 preferably requires 

26 the same precautions as regards checking the origin of the instruction as described for 140. 142, etc Chip select 147 

27 decodes the secure system memory . This preferably has the same requirements for two sequential instructions to 

28 have originated m secure system memory 

29 reset the latches that store the addresses of 

30 system zr,enxry. This ejmbles the secure im 

31 provides a method for a user routine to transfer processing back to system memory in a controlled way. A user 

32 function may write to an addressable location that generates a user interrupt 180; the system functions may then 

33 interact in any nreceierrnmed manner to meet the requirements of the user function. The balance of the secure 

34 rnonory is allocated to various user functions. In a multitasking UCDPS. this is preferably partitioned into multiple 

35 usCTpaitmons- The preferred 

36 be programmed by secrzre system 

37 to the decode logic 25 to define the current user partition, that is decoded with chip select 148. This permits the 

38 available user partitions to be divided on a totally flexible basis as required. When processing transfers from one 

39 user partition to another, the secure system functions reprogram the appropriate values. When processing is 

40 transferred to a user partition no addresses are decoded outside this partition to prevent a user function 
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1 compromising the system partition or another user partition. If the progr am counter is loaded with a value pointing 

2 to an address outside the user partition, it will not be decoded and the user function will usually crash. In case of a 

3 crash within one of the user partitions a watchdog timer 190 may interrupt 1 9 1 the secure microprocessor 20 after a 

4 predetermined period. This is preferably a programmable period that may also be used to task switch secure 

5 processes in a mu lti t aski n g environment. Prior to transferring processing to the user partition, the secure 

6 microprocessor 20 registers are preferably stacked and cleared of sensitive information and or the registers are 

7 duplicated. The dual pan memory is decoded by chip select 150. The secure microprocessor 20 may also generate at 

8 least one interrupt 195 to the system microprocessor that directs the system microprocessor to an interrupt routine in 

9 dual pan memory and or any suitable location. This location is preferably read only to the system microprocessor 

10 and may be read and written by the secure microprocessor 20. This interrupt may bypass any normal interrupts 

1 1 generated by the UCDPS to the system microprocessor and be processed transparently to the oper atin g system. See 

12 known an US Patent 5274834. It may be used for any reason in particular to direct the system microprocessor to 

13 perform various functions within the UCDPS transparently to the UCDPS operating system. An interrupt may also 

14 be generated by the system microprocessor to the secure microprocessor 20. Interrupts to the secure microprocessor 

15 20 are preferably specific to a particular source with sufficient interrupt lines to handle all interrupting devices. 
16 

17 Within the secure system memory is an area of masked ROM 51 thai is usually a fixed amount, usually a fixed 

18 amount of flash memory 52 for staring information mat survives total loss of power, and usually a variable amount 

19 of battery backed static memory 53 that securely stores secret system programs and data. This information may be 

20 lost in part or whole, due to accidental reasons, e.g. a flat battery (preferably rechargeable), or by activation of one or 

21 multiple tamp er detect systems and or failure to comply with the conditions attached to using the SFD and or any 

22 other reason. System memory and user memory 54 is described later. Part at least of 53 and or 54 may be replaced 

23 by dynamic memory to provide greater memory density. This may particularly apply to secure system functions 

24 loaded from external sources as required, and user functions loaded as part of a PSO executing and or any other 

25 external information transferred as required. 
26 

27 Secure System Functions; 

28 The system memor y of an SFD must be prcprogiarnrned with cer tain key programs and data prior to shipping to a 

29 user (usually as part of a UCDPS). This should be done in a secure environment, using secure methods, and is 
30. preferably completed during the manufacturing process. The service provider keeps a record of part at least of the 

31 inf palliation within each SFD. fhice this key mfrwrnqririn £ Hf> fl | Hf nm »ri mm fh e systfnri mfii ^ g y ^ flny pfli ef types 

32 programs and or data may be suitably encrypted by the service provider and transferred to a user's SFD (usually 

33 while within their UCDPS) using methods that "lamtmn the security of the information. The suitably encrypted 

34 information is programmed into the system and or user memory of the SFD on a temporary or permanent basis, and 

35 in many cases this will be a ua i ajwinir , dynamic process that occurs during the i+rntiv* of various computer 

36 programs, particularly PSOs. This method allows almost any type of additional functions to be securely loaded and 

37 stored within the system memory, and or allows various programs to be loaded to Tp rtrtft «nrf or modify existing 

38 system ftmprirmg anri rw any nfhgr transfer of mforrTwirm fnrmyTCflSOTt 

39 
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1 Secure system functions are those functions applicable to the correct operation of the SPD and the provision of 

2 required resources to multiple secure user functions. Secure user functions are those applicable to one or multiple 

3 PSO loaded into memory of the UCDPS that requires the SPD and system functions within the SPD for its correct 

4 operation. Secure user functions are usually an integral part of , or integrally linked with, a particular PSO and 

5 loaded into the SPD as required. A PSO that is supplied by the service provider to securely update secure system 

6 fractions would usually act as a secrousa: function, almond its e£f 
7 

8 The prefaied SPD consists of the following: 
9 

10 Lit provides a tarnpeprtxrfen^^ 

11 innhiiting ntrnnp ts at analyang or tampering with one or multiple secret processes that tray be occurring within said 

12 ta»Pop^ environment.^ 

13 known art to monitor the rnaintenance of the integriry of said secure packaging, together with a method of rapidly 

14 invalidating the contents should imnference with the package be detected. As the preferred ernoodirnem of me 

15 invention stores secret infonnation independently of whether or not the UCDPS is active, part or all of the tamper 

16 detect and data invalidating methofc pre^ 

17 the secure imcroprocessor 20 (Fig 1) and or a iracroprocessor integrated into tamper detect 80 (Fig 1), continually 

18 powered and periodically awakened from a low power sleep mode to perform one or multiple houskeeping 

19 functions, including monitoring and or activating various intruder detect processes. 
20 

21 Secret infonnation that may conipromise the secure nature of multiple other SPDs is preferably stored in battery 

22 backed Static RAM (SRAM), a storage medium that may be rapidly invalidated by removal of power and or by a 

23 specially created subroutine that cycles through the memory changing values and or a specially designed cascade 

24 system that triggers automatic invalidations of static memory storage elements as is known to the art (reference 

25 Dallas Semiconductors Secure Microcontrollers). The invention allows for any known method and apparatus of 

26 detecting physical tampering with the SPD and allows for any method and apparatus of invalidating secret 

27 information in any type of memory storage device. 
28 

29 Secret mfomation that is only likely to mmpmmisf the security of a particular SPD may be stored in SRAM. 

30 however, inf carnation that shc^ survive invalidation the tafonnatiOT within SRAM is preferably stored in non- 

31 volatile locations. When this information needs to be prognumned and or reprc^rammed dynamically in the normal 

32 worse ofc^eranoncf the S^^ 

33 req^ alteration ata initial progran^ 
34 

35 Monnatkm not requiring secrecy (as far as practical) and that is consistent across multiple SPDs is preferably 

36 rmplfrnrme d in mask ROM daring the marmfacture of the SPD. This usually includes initialisation routines to 

37 program other information into the SPD. When constructing an SPD that is not wimin the system CPU, the CPU 

38 chosen for the SPD will usually already have a boot or imtialisarion routine embedded within. Those experienced in 

39 the an will appreciate that mfomation stored as masked ROM inside an integrated circuit (IQ package may be 

40 analysed, however, this is usually with great difficulty. 
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1 

2 Where certain unique features are required in each SPD at the of manufacture and secrecy (as far as practical) 

3 is not essentia), they are preferably implemented by laser p ro gramm ing of w mgk^ri Mmtmt* This usually applies to 

4 one or multiple passwords that are applicable to a particular SPD. 

5 

6 The secret processing device (SPD) is a device that is not practical to tamper with. This device contains various 

7 secure functions that may perform useful functions for suitably configured s of t w are objects. It also provides various 

8 secure functions that permit a provider of protected software objects* refcu 'c d to as service provider* to create an 

9 effective m ethod of renting software to users. A number of alternative methods of securely distributing softwa re are 

10 discussed- The method is secure from the perspective of the producer of the software object and provides a 

11 convenient means for a potential user to have access to a large amount of software that they only pay for as they use. 
12 

13 The invention allows that attempts may be made to physically tamper with the SPD. This may be for any reason, 

14 including the unauthorised extraction of secure infonnation from the SPD. Secure system tamper detect functions, 

15 using any method and apparatus, may be used to detect tampering and or to take direct (that preferably ireinrfre 

16 immediately erasing and or altering infonnarion within part or all secure storage devices) and or indirect (e.g. via 

17 error functions) action in the event of tampering. Part of the tamper detect functions allow for any method and 

18 apparatus, referenced as secure system continuity functions to confirm that one or multiple of any tamperproof 

19 mechanisms remain intact One method is to include bidirectional logic at *yc h end (or any other location) of the 

20 various signal lines to check for continuity of signal traces and or functioning of a nac* 1 ^ logic elements in those 

21 instances where the normal function does not permit mis. This bidirectional logic is usually connected, directly and 

22 or indirectly, to addressable dements under the control of suitable software routines. The invention also allows far 

23 any method and apparatus to detect loss of clock to the realtime clock/calendar and or any one or multiple other 

24 clocked elements, including routines that periodically read these clocked devices (directly and or indirectly) to 

25 ensure that there are the expected mnrmemal changes secondary to an active dock. It is preferable that part or all cf 

26 the tamper detect mechanisms remain fhncrianal when the system pnwpr supply is rm^mi This T"fty f"Ch M*ft ttftr"C 

27 battery power to maintain one or multiple rnicroprocessors within the device in an operational mode, c"a M*r*g them 

28 to execute various system functions. Loss of battery voltage below a predetermined threshold (as detected by an 

29 integrated AJD converter) may trigger the erasure of part or all secure elements. It is preferable that an independently 

30 timed function is implemented (e.g. RC network) that must be periodically refreshed by one or multiple 

31 microprocessors. This axifinns the presence of an active CPU and failure to periodically refresh this function would 

32 usually cause a default erasure and or alteration of secure storage elements. 
33 

34 The invention allows thai various errors and or validity failures and or any processing error and or any other event 

35 may be recorded by secure system error rnonitoring routines (usually implemented within secure system memory). 

36 These may peifo u n any functions, that may include: 

37 recording abnormal events; and or 

38 in response to a predetermined number and or types of abnormal events (and or any other reason) take one or 

39 multiple actions (that may be any action, induding calling other functions to partially or totally disable the device); 

40 and or 
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1 return processing to tbe system CPU (with or without eiror reporting). 
2 

3 Theremaybeareqiurememiodisabtepmw 

4 be integrated within (eg. system CPU). The functions to perform this are referenced as secure system disable 

5 functions and they may be implemented using any method and apparatus, including: 

6 the generation of various clocks (and or any other mearungful signals) mat trigger mmwhaie erasure of volatile 

7 elements; and or 

8 setting/clearing of flags (preferably in non-volatile locations) that may be read by various other functions that will 

9 not continue (and or any other outcome) in the event of an unacceptable vahm within a ft ng 
10 

11 Tteiirvt^OT also allows for any 

12 disable functions. This may be for any reason, however, the primary one is to stop iradvertent triggering of these 

13 functions during software development. The rrrvention allows for any method and apparatus that prevents 

14 infringement of system security when the disable functions arc in part or whole temporarily inactive. 
15 

16 2. It provides one or multiple blocks of memory arranged in a manner that prevents unauthorised analysis off the 

17 contents of such memory unless intended. This memory is referred to as secure memory. This may apply even if part 

18 or all of the memory contains information that is not secret. 
19 

20 The memory blocks may use any types of memory storage device, m any rmx and combination. There are preferred 

21 types of memory storage devices to meet the requirements of specific functions. 

22' " • - 

23 The primary puipc« of secure rnemtwyu 

24 c* processing infennatian within the secure memory and a means of transferring information between the SFD and 

25 external locations, allows certain secret processes to occur and or certain secret irfonnation to be securely stored. 

26 The processing of mformanon within secure memory may include the use of any mix of secure and unsecure 

27 programs and or data, and any interaction with resources that are external to the SFD. 
28 

29 An SPD usually has one or multiple blocks of memory storage devices that may consist of any type and combination 

30 of memory storage devices arranged to make it not practical for unauthorised parties to analyse the values stored 

31 within part or all of said memory storage devices. 
32 

33 The memory storage devices preferably: 
34 

35 (a) include one or multiple blocks of Static RAM that are made non-volanle by connection to a OMKiisruptable 

36 power source that is preferably a rechargeable battery integrated into the device and or its enclosure, and or a 

37 rechargeable battery external to said device, and s^ 

38 thatshc^ustuulyrjeirrvali^ Static RAM is preferably 

39 connected directly and or indirectly with one or multiple methods and apparatus to detect said tampering and 

40 invalidaie and or activate invalidation, of part or all of said secret irrformation as a result of said tarrrpering. Tbe 
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1 invention also allows far ale inclusion of any method and apparams to invalidate in part or all seem information 

2 stored within said static RAM for any other reason. This memory usually stores: 

3 (i) secret system functions implemented at least in pan as software routines, that need to be maintamed in secrecy 

4 (as far as practical) and that cannot be stored in encrypted format in an external location and tattled and decrypted as 

5 required. An e xampl e of this may be the master decryption algorithm and or keys. If this was loaded firm an 

6 external location it may be analysed and used to break the security of other encrypted inforniation. Partial loading <tf 

7 decryption algorithms may be possible as long as sufficent function is kept securely within the SPD. Said mffiK m 

8 function may in pan or whole be a hardware implementation of a decryption algorithm. 

9 fii) information that may or may not need to be secret that is required to correctly Tntrr%r with externally available 

10 information* this may TurinA*. the loading of other information. 

1 1 (iii) information that it is detennined, for any reason should be within the SFD on a continual H»*?s . 

12 (iv) information that is loaded from external resources. This may aH/KH^I secure system functions loaded 

13 in encrypted format and subsequently decrypted and may include appropriately encrypted objects supplied by an 

14 authorised party to modify information within the SFD. 
15 

16 The information described in (0, ("")♦ Oii) and (iv) constitutes part of the secure system functions (53 of figure 3) and 

17 consists of mformation that is known to be available within, or able to be loaded within, the device when required to 

18 perform the functions that are an integral part of the SFD, System functions are also known to have been caremlly 

19 prepared and scrutinised m a secra ^ 

20 mformation within the SFD. Those secure system functions that are loaded into the SFD in encrypted format usually 

21 have tamperproof validity checking processes integrated into their structure to ensure the validity of the mfonnanon 

22 prior to a ssociatin g it with other secure system functions. That part of the seam memory that mr^i^ sfcnrr system 

23 f u ncti on s is referenced as secure system memory. 
24 

25 (v) other information that may be loaded into the battery backed SRAM and may include one or multiple secure user 

26 functions (54 of figure 3). These are usually software objects supplied by various producers that have a requirement 

27 fir interaction with the SFD. They usually require appropriate conversion of the software object by an authorised 

28 service provider to one that may be recognised and processed by the SPD and such an object is usually i^r ^^ w^ j as 

29 protected software object or PSO. A PSO is usually encrypted and preferably has appropriate validity **TV*r»g 

30 mechanism s memde d to ensure that the information is as supplied by the service provider. Those parts of the PSO 

31 that are to be transferred to locati on s within the SPD, whether data and or computer instructions, are n^r^r d as 

32 secure user fu nction s, m applications where mis information is data that is to be processed securely ncing secure 

33 system functions, arxnrtmal and or deliberate tainpeim g with the data usually has no potential unwelcome 

34 conseqnmces within the SPP as the processing is perfonned by known processes. 
35 

36 (b) static RAM (SRAM) that is not battery backed and or dynamic memory may be used for secure system functions 

37 described in the preceding (a) part (iv), and or secure user functions in (a) pan (v) t and or any other mformation 

38 loaded into the SPD. 
39 
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1 (c)anana<rfprogranm^lcaiKi«re^^ 

2 preferably incbides one or multiple blocks of intrinsically non-volatile and reprogrammable memory eg. flash 

3 memory and or EEROM, including any required componentry to support prograniinmg, erasure arid 

4 of said flash memory and or EEROM. Particular applications of this area are the storage of information that should 

5 survive an erasure of SRAM for any reason, inctndmg accidental erasure. One of the features off die SPD is its 

6 capability, with appropriate software, to select random eiicryption keys and validity check sums, and use these to 

7 encrypt information stored externally, preferably on a mass storage device. This infonnation may need to remain 

8 retrievable if the SRAM contents are corrupted. By retaining the keys to this information in non-volatile locations, a 

9 suitaWy protected routmernayoeuswl to re^ 

10 with exiemally encrypted information as the decryption key is inaccessible and may be varied every time. 
11 

12 (d) includes one or multiple blocks of memory of mask ROM that is programmed at the time of fabricating the 

13 memory storage devices and said mask ROM preferably includes an area that may be customised to create unique 

14 mfOTmation for each device, one method of custoniismg the device is with a laser. This is usually used to mitially 

15 program data into other storage devices. 
16 

17 The current system functions within an SPD preferably have a version number stored in an externally accessible 

18 location, eg. dual port memory 19 of figure 1 that may be read by PSOs to ensure the SPD has the necessary 

19 resewces tomeet therecuirerneras of thePSO. 
20 

21 3. It provides at least one secure rrriooprocessor 20 and a method of decoding pan or all of the secure memory and 

22 any other addressable runctum^^ 

23 address space of the secure nutroproccssor 20. The nriexoprocessor is designed such that secret mformanon that it 

24 reads and or writes and or processes, in nan or whole, is not erpn^ m ™™,hr^*~i ?i«aryiriT 
25 

26 The secure micrcprocessor 20 may be continually powered to perform reliable tamper detection and invalidation. 

27 The power source is usually shared with the battery backed SRAM and where preset 
28 

29 It is preferable that the reset line on the secure mkaoproccssor is connected to the reset fine of the host UCDPS, 

30 erjabling it to perform error checking on internal stored mfonnauon prior to performing functions required by the 

31 UCDPS. 
32 

33 The secure microprocessor on reset (and or any other appropriate event) and or as part of its normal functions may 

34 paifid^ various houskeeping duties while waiting for one or multiple inuraiupts generated hy th* nmpq arvj rr 

35 threading of c« or multhjleappropri^ 

36 ir^hrectly written to by the system micronrccesstT. and or airy other 

37 any era or rmunpleotrjer function 
38 

39 4-TheSTOpredcrainaridyisasecreto 

40 in part or whole is generated (mduding by aecrypoon) within the SPD. It is an essential function that there is a 
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1 means of transferring information in and out of the SPD without c om promising the smmty of inf wm^Qt n that tttmst 

2 remain secret- This emails two basic requirements: 
3 

4 (a) The provision of one or multiple physical interfaces between SPD and sources of mfamwrt^i, The invention 

5 allows for any known interface. This includes information that is transferred via the bus of the UCDPS, that is the 

6 usual method when the software objects using the SPD are executing and or being processed by the system 

7 microprocessor, and or information entering through one or multiple ports that may be read by the secure 

8 microprocessor and or any other function within the SPD. 
9 

10 The preferred interfaces include any ports that are part of the secure microprocessor or any other part of the SPD, 

11 dual port memory 19, latches and or registers (unidirectional and or bidirectional), FIFO memory, a facility fir the 

12 secure microprocessor to have direct access to the address bus of the UCDPS and move information nmw 

13 programmed control and or by direct memory access (DMA). 
14 

15 (b) a method for the SPD and UCDPS to determine which locations have valid information and a method of acting 

16 on this information. The information may be commands and or pro gram s requiring **fcnti"" and or *<gta for any 

17 reason and or any other information. This is a function of the secure system functions and specifically those 

1 8 referenced as secure system I/O functions. They require similar processes to those provided by any operating system 

19 and are within the expertise of those experienced in the art of writing ope r atin g systems. Moreover, as the SPD 

20 rnrtnde s functions to load and execute externally supplied software objects that may securely modify the various 

21 secure system functions, more flexibility is provided with an SPD than many UCDPSs having pan of their operating 

22 system in memory that is not easily modified , 
23 

24 The preferred embodiments of the invention provide a dual port' memory 19 that is accessible by the secure 

25 miuupiocessor and the system microprocessor. This occupies a predetermined part of the address map (that may be 

26 programmable) as previously described with reference to Figures 1 and 3. 
27 

28 The next pan of the description may be better understood by reference to Figure 4 of the drawings that shows: 
29 

30 A system port Stiuuinc 199 is es tahlfohftri that may have nmp. «r rnnlripfc fl^Vfr^y^s which *h*> gygfww mi ^ji^ ^Mcsnr 

31 writes to, referenced as system command input port 200 and one c* multiple addresses thai U xea^ 

32 as system command output port 201. The SPD reads command input ports and writes to mmttwn^ output ports. As 

33 these are usually pan of a block of memory, they may be dynamically reconfigured by appropriate interaction 

34 between system microprocessor 1 and secure microprocessor 20. This reconfiguring may change locations and or the 

35 number of addresses constituting a port. It is preferable to have a system input data port 202 for die transfer of 

36 information other than commands from UCDPS to SPD and a system output port 203 for non-command transfers 

37 from SPD to UCDPS. In the case of dual port memory a large block of addresses may be flilnrmrri for non-command 

38 information and the addresses and sizes may be dynamically configured. The actual allocation of input and output 

39 ports is preferably a function of the SPD and is likely to be a dynamic state. In a single ?*«tri«g environment this may 

40 be the only inierfecing reo^iired. The inclusion of a DMA chqrmfj 125 on the SPD is the preferred method of moving 
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1 large blocks erf infomianon in and out of the secure memory 53. 54 of the SPD. Address and control lines 220 and 

2 data lines 221 from the DMA controller 125 are multiplexed with similar signals from system miczoprocessor 230 

3 are multiple**! in 235 for interface with external memory. Address and control lines 222 and data Dines 223 are 

4 multiplexed (not shown) with similar signals from secure microprocessor 20 for transferring information to and from 

5 secure memory 53 and 54. 
6 

7 The invention also allows for the SPD to handle the requirements of multiple PSOs in a multitasking environment 

8 and that the system command and data pons as described may be sufficient if the UCDPS operating system is 

9 modified to send a command to an appropriate location in a command port to instruct the SPD of a task change and 
10 does not proceed until the command is acknowledged. 

11 

12 The preferred method is to use the system command and data ports for establishing certain parameters within the 

13 SPD when a PSO first requires access to the SPD. The PSO would usually send mfonnation requesting a user 

14 partition 54 of Figure 3 and a user port structure 205 of Rgure 4. The SPD would usually respond with availability 

15 of this memory and dynainically configure a user command input port 206 and or user command output port 207 

16 and or user input data port 208 and or user data output port 209. The PSO stores these port addresses in a suitable 

17 location in its own address space and directs all commands and other mfonnation to and from these user pons until 

18 otherwise appropriate. A multit ask in g kernel within secure system functions is preferably responsible for such port 

19 configuration as pm of its funcnccs.Addm of Figure 4. The 

20 space used by these pons is reallocated when a software object tenninates irjeraction with the SPD. Any one or 

21 multiple user pons may be dynamically reconfigured as required while still in use with a particular PSO. This 

22 process permits the SPD to be transparent to the UCDPS task handler. 
23 

24 5. Secure System arid Secure User Partitions: 

25 IF the SPD is to provide any useful processing of mformation supplied, it requires a method of transferring 

26 information into secure areas where it may be further processed. As described, a potential unsecure process is 

27 introduced into an SPD once the facility is provided to load externally supplied information into secure memory that 

28 in part or whole consists of executable code. PSOs that are to modify the secure system functions are usually 

29 provided by the service provider from software objects in their control and the security is good. When a PSO is 

30 produced by a Producer, mere can be no such guarantee of the integrity of the contained program code. The 

31 execution of this material may read information from secure system functions and write it to external locations, m a 

32 multiuser system, it may also mmprorni s e information relevant to another PSO. 
33 

34 The preferred method is to partition the available secure memory into parititions as previously described that 

35 includes a system partition and one or multiple user partitions. Programs within a system partition may access any 

36 secure memeory address. Programs within a user partition arc ranfmed to their own partition. This is mrrHffpmtd 

37 using dual latching of mstruction sources as previously Ascribed. This protects system integrity and the integrity of 

38 one user partition from any other. An alternative is to perform this function with software, by checking that each 

39 instruction executing within a particular user partition is not intended to make an »™™rw^ axess to system 
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1 The actual method of programming information into the storage devices will depend on the type of storage device 

2 and may use any known method. 
3 

4 The timed password access method makes it unlikely that the password protection will be H*friffrd. while retaining 

5 functionality for those parties with the necessary knowledge, even in the presence of previous unsuccessful attempts 

6 ax programming and or deliberate Bttprnprs to inactivate the device (eg. computer viruses). This ™"™-nm with 

7 password systems that permanently inactivate the process after a predetermined number of nttpmprs. possibly 

8 preventing further p ro grammin g of the device by authorised parties. 
9 

10 The invention allows that a preferably unique password is programmed (usually as part of SSIF) into ***** device. 

11 Withoui access to this unique password the probar^ 
12 

13 In an SPD integrated within a system mi cr o p rocessor, particularly one with multiple microprocessors within, the 

14 SSIF may reside in memory locations exclusive to one of the on chip CPUs and be transferred where necessary, 

1 5 using any internal mechanisms (including software), to any required storage devices; and or 

16 may be loaded into memory locations shared by multiple CPU's within the package; 
17 

18 and or may be loaded into multiple locations, each location of which is exclusive to a particular CPU within me 

19 device. 
20 

21 The invention allows that only one CPU or a subset of available CPU's may load Mormatian for other CPU's, and 

22 or that particular CPU's load information far their own use. 

23 

24 The preferred method of activating the SSIF functions when the SPD is within the system micr op rocessor is to load 

25 the password into one or multiple CPU registers and a specially created instruction that that activates SSIF 

26 to read the password and crtnrinne as appropriate. An alternative is to mrfprie the functions that detect and process 

27 the post instruction symbol stream as described later 
28 

29 The timed password access (also referenced as TPA) may use any method and apparatus. It prevents any practical 

30 gain from attempting unauthorised access to any particular password protected event. It is based on a password of 

31 such complexity that in practice it would take such a long time to try all die permutations that it is not practical to 

32 gain access to the protected event Said complexity is flggjgwri hy mmrpnTanng a rfpjay m«rh*micm chat restricts the 

33 frequency of mt r rnp tw l access. Said delay may be variable for any reason (eg. to allow for legitimate errors) and 

34 may be created using any method mchidmg software loops and or physical delays. The delay may be a hierachical 

35 system that includes different delays depending on the number of incorrect att em pts at access. It is preferable that 

36 said delay is n rwfT r cT r d by powering down of the device to prevent rapid power cycling defeating delay mechanisms. 

37 One method and apparatus consists of the following steps: 

38 a) create one or more password keys that are stored ocurely. 

39 h) create a means to store a emnnfarive count in a riwi^ fhftt fe ITTjrP g 1 y ii " wflh te *mri pryfrrfifrly TMTn-VOlatilf . 
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1 c) create a means to generate a known time interval. The invention allows for embodiments allowing a variable 

2 interval, this is most readily achieved by a software loop. 

3 d) create a means to input a password, eg create a specific mstnxction mat can pass externally supplied information 

4 to the rdevam routines. 

5 e) create a meaiis to input function r^ 

6 f) user activates d) and e) mclurimg transferring password and target function to the process. 

7 g) check the value in cumulative count in b). 

8 h) if less than certain predetermined value then go to step j) else proceed. 

9 i) invoke c) to generate time delay. 

10 j) increment the value in b). 

11 k) confirm step ft has occurred if mere is a chance that ftTtwiwi mn^wir^ mn y interfere with j). 

12 1) input password using d) and compare with key in a). If a match go to step o), else proceed. 

13 m) set fiag in external memory to fr*rf«^t» failed attempt at «>iKwg program. 

14 n) exit, to try again enter at f). predetermined count above c) retry will be imm^i^ otherwise a delay will be 

15 encountered every time). 

16 o) clear flag in external memory to indicate success. 

17 p) proceed with called process. 

18 q) return to external memory when finish*** 

19 Note: for passwords that protect access to processes mat are implemented after destruction or alteration of erasable 

20 areas, software routines and associatrri key codes should *tami u rithm mmr^ y ^ ^ mged 

21 The advantage of TPA over a limited number of attempts that then blocks the system, is that it prevents the 

22 accidental and or deliberate permanent disab le m en t of pan or all of the device. The invention allows for a mix of 

23 nxethods. 
24 

25 EteCUuaiic Siynamnu One or more processes during manufftrim e and or initial programming and or normal 

26 operation of the invention may need to identify parameters mriqiie to a particular PTPtT^ nr vxvn r* ^t^ p 

27 to a particular group of PCPUs and or ESPDs (far any reason, turfin g for example; referencing a secure Hayflhw 

28 to determine a password to activate the initialisation program described above). This may be done by any method 

29 known to the an including physical markin g s on the outside of the CPU package, hmwvfr, th*> mvm tio t) u\\rm frr 

30 one or multiple serial numbers and or any other iaaitifying symbols to be ^1^^ within the device, usually at the 

31 time of manufacture. These are amenable to retrieval under piogiaui control and or any other form of Ant"™**^ 

32 process using any method and apparatus. This provides an «mtn»»«ti*» method of uniquely klendfymg a p*"*"^*"" 

33 device and or group of devices. This is lef emitted as an electronic signature and is usually included as part of the 

34 SS1F. Said one or multiple electronic signatures may be transferred to an external location "«*"g any method and 

35 <wa*ams and used by an au thori sed party as an index to secure mformariro stored within th ? * paqt^iar ri«wj> (and 

36 or for any other reason). The preferred method when the device is a PCPU is to create a specific mstnxction mat 

37 when e x ecu te d stores said serial number from a non-volatile storage location within SSTF to a praietennined CPU 

38 register. This process is usually accessible to anyone, although it may be protected by passwords and or any other 

39 method Far ESPDs the serial number is usually read from an addressable location within the ESPD by the system 

40 CPU. m the case of the ESPD described with reference to figure one, the secure system imerfece functions 

Page 30 



WO 97/25675 



PCT/AU97/00010 



1 programmed into flash memory 708 would mchtffc the electronic signature and when the rnicroproccsor 707 is first 

2 activated by an interrupt on 731 after programming of said secure system rniriaHsarion ftmcrirms, a routine would 

3 transfer the electronic signature to a predetermined location in the dual port memory 704, where it is arxraffrirttc to 

4 the system mhaopttuce ssor . 
5 

6 The invention allows that a secure system user password function may be hvlnded within one or wmitip^ FCPUs 

7 and or one or multiple ESPDs and this may be required to activate part and or all of the invention. In the case of a 

8 system CPU it may also be required to enable the normal processing functions of the device, providing a secure 

9 method of stopping unauthorised use of the UGDPS contain i ng said system CPU. Any method and apparatus may 

10 be used to Tmplrment this function. The usual presence of programable memory and prog ramab le non-volatile 

11 storage elements provide for a plurality of methods. The invention allows for a multi-tiered password system. The 

12 preferred embodiment is a time based password system (as discussed elsewhere) that resides in secure system 

13 memory and activates routines that r e v er se various locks placed on part or all of the device. 
14 

15 The password functions usually include routines to disable pan or all of the device in response to a specific 

16 conmimKl.amcmcdthatr^^ 

17 password; and or functions (usually implemented in hardware) ****** disable part or all of the device in r espo ns e to 

18 reset and or power down and or any other criteria including automatic timeout (preferably programable), the 

19 password processing system is not usually disabled; these functions automatically disable the SFD and or other 

20 applicable devices and require the correct password to reactivate the SFD and or other applicable devices. 

21 : 

22 The password(s) is usually stored in secure non-volatile system memory . The device may be shipped to me user with 

23 a known default password and or the password system disabled. Entry to me password system may use any method. 

24 m the case of a PCPU this may include use of a special instruction and or a suitable Post Instruction Symbol Stream 

25 (PISS). In the case of a ESPD it may involve passing commands using one or multiple methods as described 

26 elsewhere in this application, usually by writing and or reading predetermined address locations. A user acce ssing 

27 the device with the correct password may be able to change passwords . 
28 

29 The password system is usually constructed to allow the service provider to reinitiate or disable said password 

30 system by s u pp ly ing an appi up * ia te software object, preferably a PSO . 
31 

32 The inclusion of at least one unique and secure code within each device together with other suitable support 

33 i c sourc e s allows a phtrality of methods of secure information transfers to be established between an information 

34 provider with access to the secure contents of the device, and or provides for the secure transfer of information in the 

35 reverse direction, and or permits information to be specifically encrypted for a particular secure system. These are 

36 referenced as system local code functions and they assist the implementation of multiple secure applications, 

37 mchirlmg the secure transfer of information to a device that can verify the source and or validity of the information, 

38 and or the secure supply of information from a particular device that the can be verified for validity and source by an 

39 hrformarton receiver (with access to the secure mfannation within the originating secure system CPU); this may be 

40 used for any reason including secure com i n u nmauom and or the secure transfer of electronic funds. 
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1 

2 Hie inclusion of one or multiple system group code functions that are identical across a particular group of devices 

3 (eg. those destined for the same country) may be used for any reason. This may include the restriction of certain 

4 PSOs to particular group codes. One or multiple group codes may be con^ 

5 part or all of group codes may be user programmable and or password protected This may allow, for example, 

6 TWWfflTB tO restrict Children* access tn jmrprr^^r PgQ; 

7 

8 The secure local and or group codes may be data and tactual computer instructions. 
9 

10 The effectrveness of the software distri system farming pan of this application is partly dependent on a service 

11 provider having access to secure irrfonnation within each SPD and that some of this information is common to 

12 multiple SPDs enabling creation erf PSOs that have general application, and that some hrfonnation is specific to a 

13 particular SPD. 
14 

15 The inclusion of secure system command functions to detect instructions (that may be implied mstructions) amongst 

16 information supplied to the SPD (using any method and apparatus) and or generated by a secure user function and cr 

17 generated by secure system functions requesting the SPD to perform certain tasks. These tasks may be any and may 

18 include: 

19 commence execution of internal programs from any so urce; and or 

20 pass data received tram external sources to internal fimrtinr^ m <\ & 

21 receive a request from internal functions to transfer processing back to the system CPU for any reason; and or 

22 accept data from internal functions for tranf er to a location readable by the system CPU; and cr 

23 provide a u mim a nd structure within the SPD to coKxrdinate other system functions and, where appropriate, interact 

24 with secure user functions; and or 

25 where applicable, co-ordinate interaction with realtime decryption processes; and or 

26 any other required function. 
27 

28 The invention allows for any method that permits an SPD to monitor a PSO as it is executed in order to detect 

29 various specially constructed process transfer instructions and or other suitable markers that mHirar* th^ t 

interaction 

30 with the SPD is required. This particularly applies to a PCPU, where the method usually involves the transfer tf 

31 processing firm external unsccure memory to internal secure locations for continued processing by the system 

32 microprocessor using secure methods and or by other embedded microprocessors (that may mclndr other system 

33 rxticrcprocessors, and or the activation erf realtime encryption use encrypted information in external location. 
34 

35 The process transfer instruction may inherently direct external programs to the appropriate function or may 

36 require a post instruction symbol stream as described with reference to the pipfwrftd emhnHimwit 
37 

38 Secure system command functions also include any functions to transfer processing back to the mn» m ili a r PSO. 
39 
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1 The secure system command function should be structured so thai entry to secure system functions is in a regulated 

2 manner. This is readily achieved for an ESFD where mtprfgrrng may be directed to a limited number of addressable 

3 l o cati on s that may have various validity checking performed on the data. The process is more complex for a PCFU 

4 and described in more detail with reference to a PCFU. 
5 

6 An important function of secure system command functions is to direct the decryption of mr w wing encrypted 

7 information, dir ect the transfer of the decrypted information to a suitable location and where this decrypted 

8 information consists of computer instructions, direct execution to the relevant starting point in the decrypted program 

9 and provide any necessary support functions as said compntw program is e xecuted. When the incoming encrypted 

10 information is data this should be processed as r eq ui red, which may include appropriately linking it with any 

11 internal and or external programs and or data and or special purpose functions (eg. the data may be used to 

12 configure programable logic, creating its own decryption engine) including a linked computer p r o gt am also 

13 transferred in encrypted format. The command functions also direct the return of execution and or data to external 

14 locations as required. 
15 

16 7. The invention also allows that one or multiple hardware devices within the SPD may actually be fabricated in part 

17 or whole from programmable logic devices. This particularly applies to encryption/decryption engines that may be 

18 dynamically engineered as required. The preferred type of programmable logic is that known to the art (refer to 

19 programmable gate arrays by Xylinix) using battery backed static memory to create the interconnections between 

20 various logic gates, as this may be rapidly erased if required. The information to transfer mis information to the 

2 1 p rogr amm able logic elements is preferably via one or multiple addressable locations, and is preferably parallel data. 

22 Pan or all of such devices may need prognmirning prior to leaving a secure location. 
23 

24 8. Secure Decryption, Secure Processing, Secure Decryption and Processing, Secure Processing of Information 

25 Unique to the SPD. The system functions should provide suitable s oftwa re routines such that, when requested by 

26 appropriate commands, they perform a combination of functions that affect any combination of the following: 

27 • for the secure transfer of at least a portion of encrypted information constituting part or all of a software object 

28 from a location external to said physical device, to a location internal to said physical device, wherein said 

29 physical device securely decrypts part or all of said encrypted mformation within said physical device in 

30 conjunction *wvt or subsequent to transfer 

31 ■ may initiate and securely process part or all of the ensuing decrypted information in conjunction and or 

32 subsequent to the decryption process and 

33 • may interact in any way with any other internal and or external mformation to correctly said process and may 

34 tenmnate said process as required and 

35 • said terminate may transfer data and or execution to any other internal and or external location, including the 

36 external software object and 

37 • the preceding processes occur in a marmer mat mmimises or eliminates analysis of part or all of the decrypted 

38 msuuc ft^w^ and or and or 
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1 • that inc lu des computer instructions and or data securely programmed within said physical device and a feriliry 

2 for an external software object to transfer processing to said computer instructions and or data securely 

3 programmed within said physical device, and the capability of processing pan or all said securely programmed 

4 within in a secure manner, mtfiranring in any way with any other internal and or external information to 

5 correctly said process and 

6 • may ten nil ate said process as required and 

7 • said terminate may transfer data and or execution to any other internal and or external location, including the 

8 external software object and 

9 • the preceding processes occur in a manner that minimises or eliminates analysis of secret mfhrrnqfinn' ^ 

10 • with the capability of being suitably requested by an external software object to provide information securely 

11 stared within. 
12 

13 Hie secure system decryption/encryption functions (together with the necessary command functions to load 

14 encrypted information and or to execu t e, and or otherwise manipulate, the information decoded from this encrypted 

15 information, possibly in conjunction with clear code and or other decoded information) may rftmm^ fog 

16 requirement to preload specific secure user functions into the device prior to supplying said device to a user. Instead 

17 each PSO may include thesccare user fumrion as encrypted in^^ 

18 resulting in a device that can securely process part or all of a diversity of software objects. As suitable system 

19 comman d functions may be c on s tru cte d to dynamically load blocks of encrypted information in and out of secure 

20 user (and or system) memory, much larger portions of encrypted information may be utilised as part of a software 

2 1 object than is the case with devices depe n de nt on secure information preprogrammed into a limited amount of secure 

22 user (and or system) memory. 
23 

24 In addition to decrypting and executing the equivalent of secure executable user functions, the invention also allows 

25 that the device may securely add to and or edit secure system functions using a similar process. 
26 

27 The invention also allows for part of the secure system functions to be loaded (usually in encrypted format) into the 

28 device from external storage each time a UCDPS is booted (and cr on any other basis). 
29 

30 The security of the secure system routines and in particular secure system decryption routines stored within the SPD 

31 is pivotal to maintaining the security of processes using the device. The information within secure system functions 

32 must be protected to a level that makes it not practical to defeat and while any storage device may be used to retain 

33 the secure system functions within the device, the [icfai e d method uses battery backed static memory. This can be 

34 rapidly erased in the event of tampering, and such a requirement particularly applies to any system functions that are 

35 scored in decoded format. 
36 

37 The transfer of info rmation from one locat io n to another may result in transmission errors and the invention allows 

38 for secure system error detection functions that may use any known method and apparatus to det ect and or correct 

39 these errors. 
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1 

2 As the usual location of the SPD is within the UCDPS, infonnation that is to be transferred to the SPD may be 

3 accessible and deliberately modified, eg. computer viruses and or attempts to reveiae the SPD. The 

4 invention allows for scorns system validity cheeking fun^^ng, that may nfse ff*iy wgfliod qnrf ftpp^n^ ^ *fnfy «*wt 

5 the information supplied to the SPD is as intended by the information provider, and or take any required actions 

6 may include directly or indirectly (usually via secure system error monitoring routines) Hignhimg pan: or all of the 

7 SPD. Where applicable, this may include the erasure and or alteration of secure infonnation. 
S 

9 The use of cyclic redundancy checking (or CRQ of information generated by a service provider and fH^HfH 

10 within a PSO and then encrypted is one method of providing secure validity checking functions. The reversal of this 

1 1 process in the SPD may use any comhimuion of hardware and software methods. The process is well known to the 

12 art. 
13 

14 9. Secure system decryption/extcryption functions: The decryption functions may in part or whole be implemented in 

15 software to decrypt externally supplied and encrypted information using any known methods, mchirtmg the data 

16 encryption standard. One or multiple hardware based encryption/decr y p ti on engines may perform the de crypti on, in 

17 part or whole. Such an engine is one compatible with the Data Encryption Standard (DES). The method of using 

18 predetermined processes located within the SPD to decrypt (and encrypt) infonnation is referenced as the Standard 

19 Decryption Process in this application. Standard Decryption Processes may require the supply of various codes to 

20 fu nc t ion correctly . The original cryptography processes were developed for the secure communication of information 

21 between parties and they work well when this is the primary motive* When the purpose of encryption is to enable 

22 one party, in this case the producer, to encrypt information to protect it against unauthorised use, and the second 

23 party is a user who may prefer that the information was not encrypted, then the original basis for secure 

24 cryptography changes, and the premise for security is based on the fact that said second party will; receive 

25 infonnation, however it will be difficult for them to access it in dear code. This has resulted in various specialised 

26 devices to decrypt information. As described this method does not provide a system that is 'not practical* to defeat. 

27 The Oscar method of secretly decrypting and executing information provides a method that is not practical to defeat. 
28 

29 Use capability of supplying an SPD with a PSO that can be made to perform any desired function within an SPD 

30 that is consistent with available resources and constraints of sad SPD, allows said SPD to be dynamically modified 

31 to perform any function as required* This permits a PSO and or any other internal and or external function to actually 

32 request one or multiple decryption functions to be loaded into the SPD. Said decryption functions may include 

33 infonnation that is used to dynamically manufacture a hardware decryption engine from programma ble logic within 

34 said SPD. 
35 

36 The capability of significantly varying the decryption process, and or amstrocting hardware cipher engines from 

37 volatile electrical connections that cease to exist when subjected to analysis, and or dynamically engineering cipher 

38 engines to suit a PSO makes characterisation of the decryption process very difficult, The known art does not 

39 describe such a method and apparatu s, which this invention r e f e r ences as Dynamic Decryption in this application. 
40 
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1 By including one or multiple decryption processes within an actual PSO, the decryption process can b*™*™* self 

2 modifying with the instructions of the actual PSO varying decryption parameters and or decryption algorithms and 

3 or mstaHfng. in part or whole, one or multiple new decryption algorithms during the process of **~-ntTng the PSO 

4 thai are further used to decrypt additiona l pans of the PSO. This may occur on multiple occasions, in any 

5 combination, during execution of the program. The key to this process is to include with the PSO a sub-routine that 

6 can be recognised and e xec ut ed by junctions within the SPD. and said subroutine initiates theprreesR «f wninHrfn g 

7 the subsequent encrypted mmoinl Said sub-routine is encrypted using a process that is known to be reversible by 

8 functions within the SPD. The known art does not describe such a method and apparatus, which this invention 

9 refeicnc es as Recursive Decryption in this application. 
10 

11 The decryption processes described are on the basis of enqypriftn nf hrfWrmftHrm hy « wvir* ppyi der with ac c»re K> 

12 the secure info rmatio n within multiple SPDs and the decryption of information in the target SPDs. PSOs may be 

13 encrypted for a specific SPD and or multiple SPDs. 
14 

15 The decryption processes described also may apply to the encryption of information from an SPD to a service 

16 provider. The user has no knowledge of the encryption process and usually little knowledge of the clear code being 

17 encrypted. The process can be made even more secure by the service provider a off encrypted encryption 

18 process to the SPD. This process will have multiple applications and is referred to as the Coco method. 
19 

20 Standard Decryption and or Dynamic Decryption and or Recursive Decryption and or Realtime Decryption, and or 

21 the Coco method may be used in any PSO in any combination determined by the service provider. The service 

22 provider may always supply the required information to ensure any chosen encryption p roces s may be reversed in 

23 one or multiple traget SPDs. The invention allows for any known method of encryption and or decryption ty r nad 

24 with any part or all of the invention. 
25 

26 The tuci ypuorv/decr y prion methods described pertain to communications between service provider user. They 

27 are also applicable to the secure storage of information within a UGDPS, w*ch nft ng the encryption and storage of 

28 various values in the UCDPS memory thai are mtrrme tfjxt* and or final results of processing. 
29 

.30 The decryption and or encryption processes d escribed for the invention may interact in any way with external 

31 processes and the interaction may assist with said decryption and or said encryption. 
32 

33 The preferred security provided by an SPD is its fanctim «r derryp^g «™* «*r«mfi^g rnrryrnrfl pr o grams in srem 

34 and or decrypting and processing encrypted data in secret. 

35 

36 The invention also allows for the decryption of information that is not securely j wyygfti, 
37 

38 The invention allows that the SPD may be p ro gramm ed with one or multiple s ec ur e user functions any method 

39 and apparatus may be used to select the current secure user function. The system functions that perform this role are 
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1 irfrirnrrrl as system task switching functions and they allow that PSQs may he crvresirfent and nr rnnlritftcVtng and 
. 2 said multitasking may occur alongside programs that do not require the use of the invention. 
3 

4 The use of battery backed storage elements (and or other continuous functions, e*g. security monitoring CPU) 

5 requite a continuous supply of power to the device in the absence of system power. Hie invention allows for any 

6 method and aparatus to achieve this mdnrihig the integration of a battery into the device and or an e*t*m*\ battery 

7 together with suitably monitoring and switching circuitry. An AJD convener may be include to detect changes to 

8 battery voltage for any reason. These are ref erence d as secure system power management functions. 
9 

10 The invention as described pemiits: 

1 1 1) the secure transfer of encrypted informatian from an external source (including memory) using any method, to one 

12 or multiple secure locations within a system CPU and or ESFD, and then (and or during) 

13 2) the use of any suitable combination of microcode and or hardware and or secure internal software routines and or 

14 data (mat may be augmented by any other software routines and or data in any location) securely decodes this 

15 encrypted infuti nation and or stores the decoded (and or remaining encrypted) information in a secure location 

16 (usually internal to the device, however it may include encrypted information stored in suitable external locations), 

17 and then (and or during) 

18 3) rise processing of sufficient information from the encrypted and or decrypted mfonnarjon (and or any other 

19 internal and or external informatian that is accessible; directly and or indirectly) to enable the secure and secret use 

20 of sufficient secret information that it is not practical to gain any useful benefit from any information that is in clear 

21 code and said clear code may be information that was never encrypted and or information that was encrypted and 

22 subsequently stored in unsecured locations, and 

23 if the only reversible functional limitation applied to a software object is that which needs to be reversed by a device 

24 as described for a secret processing device, permits the original software object to be used as intended , and may do 

25 this without revealing part or all of the native object code commuting the software object, conditional upon the 

26 appxupiiate information being m cturifl d within the SPD. 
27 

28 10. Automatic Reporting Facility. 

29 A major application of the SPD as it applies to the secure distribution of software objects suitable for use on a 

30 UCDPS is to supply software objects that have been modified such that they must interact with the SPD on a 

31 frequent enough basis, that the SPD may use this interaction to record the usage of software objects, in a manner 

32 that direcdy and or indirectly equates to a monetary value. These modified software objects are one type of PSO as 

33 described in this ar^lication and to distinguish them from other types of PSO they are subciassifted as Commercial 

34 Protected Software Objects or CPSO. A CPSO has some requirement for the exchange, directly or indirectly, of 

35 money for the use of the CPSO. The usage of CPSOs may be time and or events based and or any other method. The 

36 preferred methods allow unlimited use of these CPSOs as long as certain criteria are complied with. 
37 

38 As the SPD preferably does not require its host UCDPS to be attached to any remote device mat may exert some 

39 form of control on the use of CPSOs and as in many instances CPSOs have no intrinsic limitation on their lifespans 
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1 and arc readily available ai little or no cost, a method is required to limit the use of CPSOs such that payment is 

2 made. 
3 

4 Tlie inventioii allows for thc.use of CPSOs with an SPD to be controlled using any known method and apparatus 

5 and this is usually on the basis of one or multiple predefined limits electnxnically transferred to the SPD that are 

6 suitaWy adjusted as CPSOs are 

7 SPD preferably stops processing the CPSOs. The invention allows tnat said predefined limits may be granted on any 

8 rjanstheT^crredmeftodisMi 

9 limits on the use of CPSOs, however, this would usually only apply to major account customers and even they may 

10 prefer to have limits placed on what indrvidual employees may sjwuL T^ 

11 CPSOs. 
12 

13 The preferred rnethod of coiuTolto^ 

14 SPD will record this use on any measureablc units of use basis, is to prevent the SPD processing these CPSOs 

15 unless there is suffiriemdectr^ credit may be 

16 stored in any form. The preferred method stores one or multiple values in the SPD. 
17 

18 1 1. An SPD may disable itself in pan or whole when am' requirements that are attached to the use of PSOs arenot 

19 met. This includes when PSOs have been determined as being uanpered with and or it is determined mat an 

20 Tf n ant nori se d party is attempting to use software methods to compromise the SPD and or mat there is physical 

21 tampering with the SPD and or that various requirements for transferring mfonnahon accumulated by the SPD 

22 directly and or indirectly have not been met and or that various dectronk credits have been used and or that various 

23 keys required to activate one or multiple PSOs have not been supplied and or are incorrect and or any other reason. 
24 

25 12. An SPD that is disabled in part or whole may be re-enabled in part or whole by any method including the supply 

26 of an appropriately configured and'^ software object. 
27 

28 13. Processmg of Protectrd S<jftware Objects by SPD: Using any suitable software rraitines that may be resident in 

29 the SPD and or require loading from any external sources and that may require assistance from any other SPD and or 

30 PSO and or external resources, the SPD responds to any suitable command generated by a software object 

31 rcxpiestmg access to any one or multiple functions within the SPD by <leterrnmmg. at any appropriate stage, that a 

32 software object that has requested access to resources within the SPD is a software object that has been specially 

33 prepared to work in conjuncnon wimtheSPDandtfaatithasnot been tampered with. Such a software object said 

34 speciaDy prepared is referred to as a P^ 

35 multiple encryption processes. A PSO preferably memoes embedded error and or validity r-wir^g hrformarion and 

36 this may use any one or multiple known methods. The process of ensuring that a software object is a valid PSO 

37 preferably includes one or multiple error and validity checking processes and the Decryption and or execution of 

38 parts of the software object within the SPD. 
39 
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1 If the object is not acceptable, the SPD may take any course of action mrjn/ttwg <fip fftiijng pan or all of the SPD, 

2 reporting an error to the user using any method, denying access with no repon, and or any other action. An object 

3 may not be acceptable for any reason mc.hrrimg that the object was not created for use with an SPD or that changes 

4 within the software object have occurred. If the SPD receives a predetermined number and or types of aims it may 

5 decide that these errors are not legitimate and take any course of action to protect the security of the device. This may 

6 include granting no further access and or invalidation of pan or all of the secure in fi nnn wii rtn within me SPD. The 

7 c andid fms that determine this course of action may be dynamically modified by the simply of m ^ i |n i i^t ia t- P$r> 
8 

9 If it is determined that the software object is a valid software object for use with the SFD, examination of any 

10 relevant part of the software object determines what action is required of the software object. Said action may 

1 1 mctorte performing further validity checking and or decryption and or any other actions as the PSO is processed in 

12 conjunction with the SPD. Protected software objects preferably, include information mat i^iHr^ the type of 

13 information that is included within the object, r es our ce s required of the SPD, information to assist validity and error 

14 checking of the information, information to assist decryption of encrypted information and any other relevant 

15 information Said any other relevant information may be anything consistent with the resources of the SPD because 

16 one feature of the SPD is its capability of being securely updated to perform any software function consistent with 

17 the resources of the SPD. This updating may be dynamically per for med by supplying the appropriate one or multiple 

18 PSOs prior to supplying the PSO that win use the dynamically modified functions. Said PSO mat will use the 

1 9 dynamically modified functions may itself include in part or whole the information to said dynamically modify . 
20 

21 The following are the types of PSOs that an SPD suitable for use in the protection and distribution of software 

22 objects preferably includes, however, functions for one type of PSO may be combined in pot or whole with any 

23 other one or multiple PSO functions to create one or multiple mixed function PSOs: 
24 

25 a) Secure System Update PSO: these may modify the secure system functions of the SFD using any method 

26 including data and or program instructions that are to be loaded to specific locations within secure system memory 

27 and or they may be programs and or data that is to be executed to perform ooe or multiple functions ami or any other 

28 method. This type of PSO is preferably heavily encrypted with multiple checksums. When validated, required action 

29 is performed by the SPD. 
30 

31 b) Electronic Credit PSO: this adds values to one or multiple non-volatile storage locations within the SPD. Said 

32 locations are preferably clear (and or any other predetennined values) when the SPD is supplied to a user for the first 

33 time. Said non-volatile storage is preferably flash memory, described previously. Said values preferably equate to a 

34 number of units of available credit for use with various CPSOs and or any other reason. The use of these values may 

35 be for prepaid credits and these are sured in a location that is preferably decremented as available crecSt is used and 

36 or they may be for credits that are unpaid and are effectively a credit limit against use. Any method may be used to 

37 distinguish prepaid credits from unpaid credit. 
38 

39 c) Report Verification PSO: this verifies that a particular report generated previously by the SPD has been received 

40 by the SPD. It is preferably specific to a particular SFD in that unique information within the SPD is required to 
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1 correctly validate and have it perform the required functions. It may perform any one or multiple fractions, directly 

2 and or indirectly within the SPD. It usually resets any restrictions within tte SPD that are awaiting receipt of the 

3 report verification PSO and may do this in any way. It also usually programs the relevant locations with a new 

4 re|AJi'Uiig interval and or modifies in any way any pan or all of the report generating and verification system. 

5 

6 d) CPO as previously described. 
7 

8 Preparation of a Protected Software Object! 

9 It is one object of die present invention to provide a method and apparatus for distributing a software object ton a 

10 producer to potential users such that a user may make as many legal and or illegal cc^es of 

11 distribute them as widely as they wish, however, any user executing the software object must remunerate die 

12 producer and 09* service provider of software object, effectrvety 

13 achieve this is to convert the original software object to a version that is modified to a PSO that is usually still 

14 capable of potentiaUyrraning on mar^ 

15 and fOT any particular PCTU 

16 to the PSO. This may or may not require intervention by the user. In following description a reference to PCFU also 

17 applies to ESPDs. The preferred method allows the user unlimited use of PSOs contingent «i them havmg gnffi r*»nt 

18 electronic credit within and or securely accessible by the PCPU The conversion ton a software object to a PSO 

19 preferably occurs in a secure location. 
20 

21 Object Support Information: 
22 

23 One step in the creation of a PSO is to take a software object ton the producer referenced as the primary software 

24 object and create Object S upport Information (or OSI) that provides THAI!? infuriiiflrin^ |q assist the CTftfllTKW of the 

25 PSO. The actual creation of the OSI is usually a co-operative process between the producer and service provider, 

26 however, any operations that require the use of information within the secure system memory of a PCPU would 

27 usually be restricted to the service provider. The OSI is usually placed near the start of tte pro gram, however, it may 

28 be located anywhere throughout the program as long as it is arranged in a sequence acceptable to the PCPU that will 

29 process it, and or the PSO includes various information that may permanently and or temporari ly modify the PCPU 

30 such that it can locate and use the OSL To protect the information in OSI from tampering, part or all may be 

31 encrypted, and or may have various check sums that are preferably secure and or encrypted themselves. The OSI 

32 may be provided in part or whole as a separate n iugiam fs) and or as part of one nr n«n> <thw | i m K mm c onH rw may 

33 already be present in the PCPU and or any other method. If the OSI is within separate modules and contains 

34 mfonnation that the producer does not want deleted, there should be a suitably secure cross reference in the main 

35 part of the PSO to check for the presence of independent modules and valid data within. The preferred embodiment 

36 inc l udes all information within the body of the primary software object one or multiple modules of the primary 

37 software object. The actual method to encrypt and decrypt information may use any known method and any number 

38 of levels and any combination of methods. The OSI is a description of certain functions that may be required, and 

39 they may be trrrplwiirrtted using any known method and structure. The ability to pmgram tte fimnirm mthm 
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1 the target PCPU enables any new structure to be created by supplying a suitable PSO compatible with existing 

2 structures, 
3 

4 The following is a non-exclusive list of cormorants that mav be found in QSI: 
5 

6 Pft f C T fon of P^ srpff rrf> PfTPLl! this is usually rxemtni hn mrrtifflftl v after the start of PSO exrcntioTL Should a 

7 PSO attempt to fmrmr in an environment without a PCPU one or multiple adverse outcomes may result, for 
g example the hard drive may be modified. 

9 The pef erre d embodiments of a PCPU allow access to the secure memory by the execution of various special 

10 instructions. As these insmicdons do not exist in a normal CPU, their execution in this environment may cause 

11 problems. The preferred method of ensuring that PSOs are only used in a UCDPS that has an appropriate PCPU 

12 are:- 
13 

14 Qmimon instnicuon trigger a se that it replaces are 

15 «>w"tpH such that a certain combination niggers various events in the secure pans of die PCPU. The following 

16 example shows one alternative:* 

17 protected software loaded into memory 

18 execution commences at a particular location that executes three no operation (NOP) instructions in sequence, 

19 foUowedby abranchtotherK^h^ (any number, combination and 

20 permutation of suitable instructions may be used) 

21 the instruction following this is a branch to a routine to terminate execution of the program 

22 a CPU that is not a PCPU will execute these instructions and quickly teraiinaie the pi ogtaiu 

23 a PCPU will have the fecility to recognise the particular sequence of instructions, this triggers internal routines to 

24 modify the data in the branch instruction and or redirects external execution to a particular location that enables 

25 c onfirmed p i u ' -cssing of the PSO. 

26 This process is transparent to the operating system. 
27 

28 Qi-ririfjf mi availability of resources: 

29 If the PSO is to execute in a multitasking environment where multiple tasks are concurrently executed on a time 

30 sliced basis, it is jx>ssi^ 

31 to ^"*m*» a routine to determine the availability of PCPU r esources and any relevant information that the PSO 

32 mpimr to r™™™""^** resources: this information mav be any sort of infonnation in clurir ng a reference 

33 task number, and or an address or block of addresses the PSO should use to c rmrnnrrri c ate with the PCPU, for 

34 ~ffT^» ^ wtor fvwTTTTumH «mH rfatfl pnrts l QQ in Figure 4. and or the amount of internal PCPU memory available to 

35 the PSO and or any other information, This process may also involve the PSO providing the PCPU with certain 

36 information. In the case of the PCPU described with reference to the drawings, this transfer of information would 

37 noifliiy vin th» nnrntnufftd addresses copstiniting the System Command and Data Ports in the dual port memory. 
38 

39 Should the PSO currently be unable to use the PCPU it can take any known course of action, the c wnuw .' tt of 

40 which may include entering a delay routine and trying again latex; an efficient method is to call a routine designed 
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1 for this in the operating sytem, with or without a message displayed A PCPU may nave the facility to transparently 

2 override the operating system and a message may be displayed for the user to determine future action. Other actions 

3 may include program termmmion, with or without a message, 
4 

5 A PSO preferably checks various information currently resident within the secure system memory of the PCPU fir 

6 the pm«u»ce of certain functions within the system memory and that they m « vmiwt ywtaWr fw fffff by ?hf PSO. 

7 Tnis is usuatty confined 

8 particular PSO, however, k may u^ 

9 PSO may be shipped with certain update mfonnabon included as part of the PSO and or with other PSOs shipped 

10 with the PSO, and that a PSO may automatically and or at the users direction, update the system memory functions 

11 to current information and may suitably adjust the version number, and that this may be a temporary modificatian 

12 for the duration of execution of the PSO and or a semi-permanent and or permanent change. Should the system 

13 functions not be able to be updated for any reason, the PSO would usually terminate with a request far the user to 

14 arrange for the necessary changes to system functions, however, h may take any other action. 
15 

16 Corttfiponsof Use; 
17 

18 As PSOs may need to identify to the PCPU the producer of the PSO (eg. to log usage and allocate payments), a 

19 unique vendor identity code may be included in the PSO in a posinon and or any other way that can be determined 

20 by the PCPU. This code is usually consistent on each product from the producer. The invention allows for this 

21 method or any other to differentiate PSOs that are primarily commercial objects from those that provide various 

22 support functions. 
23 

24 To differentiate a particular program from others by the same producer a unique program identity code (UPID) is 

25 usually included in the PSO in a known location and or any other way that can be determined by the PCPU. This 

26 may be unique amongst products from the same producer, however, it may be ijfrm tral to another product by 

27 another producer. This code rnay be further used to c^ 

28 the program as a game or a wordprocessor, etc and this would usually be common across all UPIDs, fl"****-* part 

29 may identify the version iiumber aiid the balance may be used to ensu^ 

30 that pro du ce r . Any other relevant infonnanon may also be included in the code. The invention allows that the 

31 various sub-parts of mformation included in this code may in part or whole be allocated their own codes. 
32 

33 The invention allows that the bflling for the use of a PSO may use information within the PSO. Any of the 

34 following mformation may be located where the PCPU and or any other applicable devices or routines can klemify 

35 it: 
36 

37 Currency Trimtifier - this indicates the currency in winch the producer of the PSO is m >v> p»H t» ; c mainl y meed hy 

38 the service provider, however, it may be used for any reason. 
39 



Page 42 



WO 97/25675 



PCT/AU97/00010 



1 Personal User Device Valid - this in d ic ates whether this PSO may be used with a Personal Software Card. This is a 

2 device described in another application that lets the users of one UCDPS temporarily or permanently port various 

3 access and billing to another UCDPS. 
4 

5 Timed Basic Charge (or TBQ - is the unit rate for use of the product. The preferred rate is by the hour, however, any 

6 time interval may be usedJt is anifc i pmert mat users will ultimately the type of billing they want* and it 

7 will probably be based on a time used basis associated with certain frequency discounts and possibly a cut off point 

8 at which there are no additional charges. The charge rate is usually in terms of a standard unit - for example it may 

9 be US Dollars. Whatever standard rate is chosm is usually standardised across PSOs. The invention allows that any 

10 amount in any currency may be used. The invention also allows that the TBC for various countries may be different, 

11 for example to allow for di ffe r ent economic conditions, Any particular PSO may *n*ftMfc> the entire set of TBCs for 

12 all countries or only a subset The TBC may not be available to all regionals. The invention allows mat a discount 

13 schedule may apply to the TBC for increasing use or whatever reason, and that this may vary from one region to 

14 another, and this discount schedule may be stored in the PSO. Further discounting may apply for different types of 

15 users, eg. government, education, business and part or all of mis information may be stored in a PSO. Various 

16 vendors may wish to offer various discounts for existing customers when an updated version of their product is 

17 released and or when a new product is released and these may be stored in a PSO. 
18 

19 The PSO usually inc l u des one or multiple transaction processing codes to indicate the type of billing system used. 

20 This may vary from region to region and each PSO may have a list that includes transaction processing codes for all 

21 countries or any subset. For any particular country, there may be different codes for different groups eg, government 

22 users may be billed using a different method to business, and the combinations used may vary from one region to 

23 another. 

24 While not an exclusive list, the following are the more common types of transaction pr o c essing codes:* 

25 a) The PSO may be distributed at nominal cost, with the customer paying for time used. 

26 b) The PSO may be distributed at nominal cost, with the qistomfr paying for time used, however, a data 

27 key (at no cost) is required to activate the p ro g r am . 

28 c) The PSO may be distributed at nominal cost, with the qi stoma- paying for time used, however, a data 

29 key is required to activate the pro g r am and there is a charge for the key; this charge may be located in 

30 the relevant fixed basic charge field. 

31 d) The PSO may be distributed at nominal cost, however, a data key is required id activate the piogt am 

32 and there is a charge for the key, however, there are no continuing charges. 

33 e) The PSO is only supplied on receipt of payment, with additional charges for time used. A key may be 

34 required to activate the program. 

35 f) The PSO is only supplied on receipt of payment, however, there are no additional charge. 
36 

37 The PSO may be one that is generic to multiple PCPUs or customised to a particular PCPU . 
38 

39 Event Basic Charge (or EBQ - the invention allows that usage of software may be based on the number of times the 

40 program is opened and or any other event based mechanism. The Event B ased Qiarge is the unit rate for this method 
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1 of billing. All of the options and or discounts and or requirements described for TBC above apply for Event Based 

2 Qiarge and will not be repeat ed, however, the various combinations and particular options used may vary tan the 

3 TBC in any way. 
4 

5 Fixed Basic Charge (or FBQ - this is a fixed charge to use the software and may be a one off charge that 

6 su b sequ e ntly permits unlim i ted access on that UCDPS or a charge that grants access and then hill* «i« ^ wic 

7 using any combination of the previous methods. All of the options and or discounts and or requirements described 

8 to TBC above may be ap pl i c ab l e for Fixed Basic Charges, however, the various ^ particular 

9 options used may vary from TBC in any way. 
10 

1 1 Transaction process ing codes may be constructed to detail any combination of billing processes and discounts and 

12 anything else. 
13 

14 The ability to distribute software in massive quantities with very low upfront costs to the user may provide 

15 significant changes to the m et ho ds of marketing and advertising software products. One method may be to permit 

16 the user free or di sco unt ed access to various products, particularly new products. This may fcichwfr various 

17 promotional schedule codes (PSQ within the PSO. that may be designed to achieve any oiucome that is permitted 

18 by thePCPU, mat the PSO execu t es on, and this may include codes representing anything to do with promoting any 

19 sort of product using any known method, including:- 

20 • a list of discounts and the time they apply may be mchiriwl within the PSO, and they may be multiple. The 

21 discounts may be any value, and may result in free software for variable periods of time. The facility even exists 

22 to a producer to pay a user to try their product. Particular promotions may have a use by date gnsyiwi to fh*yn 

23 • Another approach may be to generate a random nmnher in the PCPU each time a p i ^mm « miring nr m yty 

24 other basis. If this matches a code in the PSO, then various free ptugiam time may be provided on the current 

25 PSO and or another program by the producer and or various prizes may be given away. 

26 • The software may also be made available to a potential ^ cr 

27 a nominal charge applied to the use of mis partially disabled program. This may be particularly useful for 

28 pmgiaxns that may take time to assess, for exampte a new accounting program, where a potential cnMoinffi may 

29 want to fully assess the package prior to committing to a changeover from an tiering system. The activation to 

30 a fully operational system may require a key (that may or may not have a charge) or simply require the user to 

31 execute a ptogiam that mitintrs nine and or event hascrf frilling nr any nthw wyfopfl 
32 

33 The iufuii nation to perfonn any promotional fan^ff i may be wyiyififl in part or whole within the PSO, however, it 

34 would usually rely in part or whole on secret processes within the PCPU to prevent uiiauthorised manipularicn of the 

35 promotions. 
36 

37 Certain software products may be unsuitable for use by particular groups. For example, certain countries may be 

38 restricted from using software because of sec uri t y concerns and or because it may offend certain cultures and or 

39 other software may be unsuitable for children and or it may be restricted to professions »nfj ox it may be 
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1 Personal User Device Valid - this indicates whether this PSO may be used with a Personal Software Card. This is a 

2 device described in another application that lets the users of one UCDPS temporarily or permanently port various 

3 access and billing to another UCDPS. 
4 

5 Timed Basic Charge (or TBQ - is the unit rate for use of the product. The preferred rare is by the hour* however, any 

6 time interval may be nsedit is anticipated that users will ultimately d e temiiu e the type of billing they want* and it 

7 will probably be based an a time used basis associated with certain frequency discounts and possibly a cut off point 

8 at which there are no additional charges. The charge rate is usually in terms of a standard unit - for example it may 

9 be US Dollars. Whatever standard rate is chosen is usually standardised across PSOs. The invention allows that any 

1 0 amount in any currency may be used. The invention also allows that the TBC for various countries may be different, 

11 for example to allow for different economic conditions. Any particular PSO may include the entire set of TBCs for 

12 all countries or only a subset. The TBC may not be available to all regionals. The invention allows that a discount 

13 schedule may apply to the TBC for increasing use or whatever reason, and that this may vary from one region to 

14 another, and this discount schedule may be stored in the PSO. Further discounting may apply for different types <f 

15 users, eg. government, education, business and part or all of this information may be stored in a PSO. Various 

16 vendors may wish to offer various discounts for existing customers when an updated version of their product is 

17 released and or when a new product is released and these may be stored in a PSO. 
18 

19 The PSO usually includes one or multiple transaction processing codes to indicate the type of billing system used. 

20 This may vary from region to region and each PSO may have a list that jnchtdes transaction processing codes for all 

21 countries or any subset. For any particular country, there may be different codes for different groups eg, government 

22 users may be billed using a different method to business, and the combinations used may vary from one region to 

23 another. 

24 While not an exclusive list, the following are the more common types of transaction processing codes:- 



25 a) The PSO may be distributed at nominal cost, with the customer paying for time used. 

26 b) The PSO may be distributed at nominal cost, with the customer paying for time used, however, a data 

27 key (at no cost) is required to activate the p ro g r am . 

28 c) The PSO may be distributed at nominal cost, with the customer paying for time used, however, a data 

29 key is required to activate die program and there is a charge for the key; this charge may be located in 

30 the relevant fixed basic charge field. 

31 d) The PSO may be distributed at nominal cost, however, a data key is required to activate the program 

32 and there is a charge far the key, however, there are no continuing charges. 

33 e) The PSO is only supplied an receipt of payment, with additional charges for time used. A key may be 

34 required to activate the piugiain. 

35 f) The PSO is only supplied on receipt of payment, however, there are no additional charge. 
36 

37 The PSO may be one that is generic to multiple PCPUs car customised to a particular PCPU. 
38 



39 Event Basic Charge (or EB Q - the invention allows that usage of software may be based on the number of times the 

40 program « opened and or any other event hagftri mprfttmigr^ Fv^t CH^jpt « *hf wnir ratp far this wiftthnri 
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1 of Wiling. AU of the opo^^ described for TBC above apply for Event Based 

2 Charge and will not be repeated, however, the various combinations and particular options used may vary from the 

3 TBC in any way. 
4 

5 Fixed Basic Charge (or FBQ - this is a fixed charge to use the software and may be a one off charge that 

6 subsequently permits tmlimitoi access m 

7 using any combination of the previous methods. All of the options and or discounts and or requirements described 

8 for TBC above may be a pp li c a b l e for Fixed Basic Charges, however, the various «wnM™»frr<f and particular 

9 options used may vary from TBC many way. 
10 

1 1 Transaction processing codes may be constructed to detail any combination of billing processes and discounts and 

12 anything else. 
13 

14 The ability to distribute software in massive quantities with very low upfront costs to the user may provide 

15 significant changes to the methods of marketing and advertising software products. One method may be to permit 

16 the user free or discounted access to various products, particularly new products. This may include various 

17 promotional schedule codes (PSQ within the PSO, that may be designed to achieve any outcome that is permitted 

18 by the PCPU. that the PSO executes on, and this may include codes representing anything to do with promoting any 

19 sort of product using any Imnwn mefhpfl, mc.lw*mg ». 

20 • a list of discounts and the time they apply may be included within the PSO, and they may be multiple. The 

2 1 discounts may be any value, and may result in free software for variable periods of time. The facility even exists 

22 foraprochicertopay ausertotry theirpn^ 

23 • Another approach may be to genera^ 

24 other basis. If this matches a code in the PSO, then various free program time may be provided on the current 

25 PSO and or an o ther program by die producer and or various prizes may be given away. 

26 • The software may also be made available to a ponsnp^u^ no rhmgr of 

27 a nominal charge applied to the use of this partially disabled program. This may be particularly useful for 

28 programs that may take time to assess, for example a new accounting program, where a potential oistomer may 

29 want to fully assess the package prior to committing to a changeover from an existing system. The activation to 

30 a fully op e ra tional system may require a key (that may or may not have a charge) or simply require the user to 

31 execute a program that initiates time and or event based hilling, or jmy other method, 
32 

33 The information to perform any pr om ot ion al function may be included in part or whole within the PSO, however, it 

34 would usually rely in part or whole on secret processes within the PCF1J tn prevent rm^thryrsM manipqlan^ 

35 promotions. 
36 

37 Certain software products may be unsuitable for use by particular groups. For example, certain countries may be 

38 restricted from using software because of security c on ce r ns and or because it may offend certain cultures and or 

39 other software may be unsuitable for children and or it may be restricted to certain professions and or it may be 
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1 restricted to use at certamtmies art 

2 and may be included in a particular PSO to limit access to various categories of user. 
3 

4 Any information included in a particular OSI may become obsolete and this may be a particular problem with prices 

5 and discounts. Any information contained in a OSI may be replaced in part or whole with other more readily 

6 updated information stored in any suitable location; this may include locations within the PCPU, and or various files 

7 stored on one or multiple mass storage devices, and or distributed with other PSOs, and or distributed as part of 

8 codes simplied to users to update PCFU credits and or any other reason, and or any other method. AH of this may be 

9 subject to the overall control of the service provider who can vary the actual amount charged to any pgrtw<w user. 
10 The billing process is described later in this application. 

11 

12 Part or all of the information within the OSI is usually reliant on known information within the secure system 

13 inemorycftheFCrotocorrecty however, as part or all of this PCPU 

14 memory may be reprogrammed by suitably encrypted external information, part or all of which may be *nch«fed 

15 within the PSO, the specific requirements of a particular PSO may be met by dynamically modifying part or all of 

16 the secure system memory* Additional flexibility may be gained by loading any required part of the PSO into secure 

17 user memory for execution. Although various functions have been detailed for die OSI, in practice a multiplicity of 

18 special functions may be included and these may occur during any part of the execution of me PSO. 
19 

20 MCtfr^ tft Tprfgtc the FCTTJ; 

21 Another step in the preparation of a PSO may be to include in die PSO various routines and data that will execute 

22 automatically and or under user control to update various information on the UCDPS far any reason and may 

23 include:- 

24 update the secure system memory r 

25 • update various files stored on a UCDPS that contain various billing irrfcrmanon and or discounts and or special 

26 pri^inrttirmg ynri <y any Other infO Tff^fltk^H 

27 These urxtete functions may be inchuted as pan of the actual PSO an^ 

28 other PSOs may be created specifically for the purpose and or may be pans of other PSO applications. These other 

29 PSOs may be supplied to the user with the said actual PSO and or may be supplied separately. 
30 

31 Error and Validity Qirdring: 

32 A PSO, and the PCPU with which it is to operate, are provided with a number of secure mechanisms to protect 

33 against unauthorised analysis of mf onnarion stored within. As there may be considerable financial gain to any party 

34 that manages to oomjMinnis c the security of either, it is anticipated that a number of attempts will be made to 

35 compromise the security of both, and one method may be aimed at changing various pans of the PSO in an attempt 

36 to analyse the various outcomes, in order to protect against this and also to detect genuine errors in the PSO, it is 

37 usual to use one or more error and or validity cnfrHng processes on information within the PSO, and these may use 

38 any known method and apparatus, and these may be dependent in pan or whole on functions within the PCPU, that 

39 may include:- 

40 • routines within system inemory, and or 
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1 • various algorithms implemented in hardware withm thePOPU, and or 

2 • rouiiues loaded fitmiexienial sources 

3 • loaded from the PSO (usually, moan or whole, in encrypt** format) , *r*\ ^ 

4 • any other source. 

5 The error checking and validity checking is a process mat usually occurs in total secrecy at both ends, with the 

6 service provider the only party that knows die process. The service provider is aware of the processes available in 

7 any particular PCPU to extract and validate any parity mrbrrnatkm and or CRC information ami or any other 

8 mfonnation, and the method used to take the actual code of the PSO and generate me expected parity information 

9 and CRC information and any other irf ommriort, and the methods to detennine whether or not the expected 

10 mfannarion matche s the extracted information. The service provider can take a PSO at any stage or stages in the 

11 conversion process from software object to PSO and analyse the inf onnation and add and or change data in such a 

12 manner that the outcome when run throng 

13 errors. Shaild one or multiple pans of the PSO be changed by an nnauthorised party, then the error and or validity 

14 checking yxocess in the PCPU will detect the modifications and may take any known action, mrh^g those actions 

15 described later, fftte service p 

16 protocol prepAOgiammed into the PCPU, mere may be no need for any otter additional information within me SPO. 

17 however, if the service provider follows a variable pattern and or non-standard pmasMgg thwi «^t*onfl1 m famwitmn 

18 may need to be included within the PSO to permit correct analysis at the other end, and mis may use any known 

19 m et h o d . As part or ail off the PSO will usually be subsequently encrypted, mere is no practical way for an external 

20 analysis of the PSO to even brm at which apparendy rneaningiess da^ checking and which is 

21 encrypted information. Furthermore, the error/validity checking mformation may itself be encrypted. Furthermore 

22 the system usually only needs to work in one (Erection - provider to user, although some processes may need to be 

23 included within the PCPU to generate error and or validity checks an information that is so be stored in encrypted 

24 format in external resources (these are discussed in more detail in the applications dealing with these devices). Any 

25 mmbexofenordetectimar^ 

26 of the encryption process. Tlie mvention also attows that em 

27 all of the PSO with the actual method to reverse this included within the PSO. and as long as part or all of the 

28 method to reverse is encrypted and the reversal process occurs in secrecy, there is no means of reverse engineering 

29 the process* and the actual methods and or apparatus used may be any known method and or apparatus. 
30 

31 Encryption of the hrfhtmatinn mw»»t»,thg Pmuxtitf Software Ohfr*n- 

32 Hie final step in the creation of a PSO is the conversion of the software object as supplied by the producer together 

33 with any arktirtorml mf armatkm as previously discussed to a protected program that provides me security against 

34 illegal use of the program. By encrypting the PSO using any known encryption method and any r^nHT^™ of 

35 known encryption methods, including the processes described previously, the software object is converted to a PSO 

36 mat in pan or whole may only be executed internal to an ammpriate PCPU 

37 one awl or multrplekwls of complexity^ 

38 encryption, what method or methods of encryption should be applied and any ancillary inf onnation mat is required 

39 to support these metho d s . The actual arrangement of information within any part of the PSO to effect various 
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1 ontrnmrs will be highly variable with the exception of certain functions fixed by a jnrti™\*r FCPU. and as the 

2 present invention allows for the provider mpplicd PST> m tv> fl^iHlp n^rf flyf frrffl^f unthm n p *r*™ifi T fy-pTT 

3 be piug ianirurd in a multiplicity of ways* the various combinations and permutations to achieve the same outcome 

4 are obvious, once the specific requh cuK U ts and ore method of acto 
5 

6 Crediting fanrfs mtn a FPPtJ fimri err nthgr PTPiTi* 

7 The present invention allows that a part of the secure system memory of a FCPU may be securely prng r«mim »H with 

8 information that indicates an amount of credit (using any "^fo^d and or currency) that may be /rffo^ against 

9 software usage (and or any other applicable uses). Various secure locations within the FCPU within a particular 

10 UCDPS may contain codes that are unique to that particular FCPU and these codes are usually secret A particular 

11 FCPU usually has a publicly accessible electronic signature that can be used to identify a particular UCDPS. A 

12 particular FCPU may also have other characteristics that are unique to a particular FCPU, for example, r«in*mfar 

13 software routines and or encryption/decryption processes and or any or^ 

14 nature of info rmatio n contained within a FCPU, it is preferable that conversion of a software object into a PSO is 

15 performed by a service provider, and that the actual information within FCPUs is wmwitai™^ in a secure 

16 environment. When a UCDPS is initially shipped to a customer, it is likely that die FCPU has no credit value 

17 programmed within and may ru>t be activated to execute PSOs. The process of activating a particular PTPTT may 

18 accomplished by any method and apparatus, including: 

19 1) The user contacts a service provider (using any method, the most convenient usually being via a modem) and 

20 supplies the service provider with the serial number of the FCPU, the amount of credit required, and payment details 

21 (that is preferably a aedlt card payment) that may use any known method. 

22 2) Using known details about various information within that particular FCPU, the service provider uses the 

23 requested amount of credit and encrypts this amount using any known met hod and Ap p a r a t u s (and an experienced 

24 person should be able to devise multiple techniques bated on the erurypnon/decryption processes described earlier). 

25 The encryption process that may use any information (including time and or date and or any other unique and or 

26 global information within the FCPU and or that may be securely transferred to the FCPU, using any known method 

27 in c luding those described in this application) to generates a one tune code that may be decrypted within the PCFU. 

28 3) The one time code is transferred to the user of the FCPU and entered into die computer. The code is decrypted. If 

29 an error is ge nerat e d , the user may be advised, Once the amount is conftrmeri the nominated crecfit is programmed 

30 into any appropriate secure non-volatile location internal to the FCPU that cannot be tampered with. 

31 4) This process may activate the FCPU if required, however, the p i efe i i e d determinant as to whether or not a 

32 particular FCPU will execute one or multiple PSOs is based on the amount of available credit. 

33 5) The available credit is progressively decrnnented as various PSOs are used, and the present invention allows for 

34 any method and apparatus for billing for PSO use. 

35 6) Software usage of various software objects may be logged. This is described later. 

36 7) When the crecfit ftnyw nt is decremented to a predetermined attmynt (and said predetermined may be by the 

37 service provider and or the user) the user is advised that additional credit will be required shortly. The method of 

38 advising the user of an imminent shortage of credit may use any method and or apparatus, however, as the programs 

39 that hnpl ei n e nt this process are preferably exeemtng in part or whole from within secure memory internal to the 

40 PCPU, the facility exists to generate an internal interrupt jump to an appropriate internal or external 
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1 program. This may occur at any time, with the most usual being shortly after a system reset. The process may be 

2 transparent to the operating system. The facility exists, using a similar process (and or my other method and or 

3 apparatus) for the user to generate a cumm 

4 8) For the second and subsequent contacts with a service provider to refresh the credit available within the PCPU, in 

5 addition to providing the service provider with the electronic signature of their PCPU. the user will usually be 

6 required to advise the service provider of a code (that is securely generated within die PCPU using any known 

7 method and apparatus within die PCPU) that may include current information on remaining credit (that may be 

8 zero) and may mcludeinfcn^ 

9 9) Step 2 is re peated , however, in addition to creoit mfonnation. the code supplied to the user usually contains an 

10 encrypted message that informs one or multiple routines within the PCPU that information pertaining to software 

11 object use has been received by the service provider. Storage locations allocated to this information may ten be 

12 cleared. 
13 

14 The presem invention aUowstta 

15 also compatible with the provision of credit within the PCPU on account terms with selected users, and the credit 

16 amount allocated would nsuaUy be sufQciem to cover expected usage 

17 bill the user may be calculated by subtracting the amount of credit remaining from the amount supplied in the 

18 previous period and or any other method and apparatus. 
19 

20 A user friendly menu system may be used to described above. 
21 

22 Monitoring the use of protected software objects; 

23 The present invention allows for any known method and apparatus that can monitor and or record the usage of 

24 PSOs (and or software objects), and preferably one that is compatible with multitasking programs in a single 

25 processor and or multiprocessor environment, and preferably one that provides a tamperproof, secure system that 

26 operates in pm or whole from wito 

27 or when independent and connected to a network and or when independent and e~mmffd to Internet or similar, for 

28 its correct functioning, and or when the UCDPS is dependent in part or whole on cpnnecrinn to a nem*™* tmH^-ic 

29 dependm in pan or whole on connection to In a single task UCDPS the SPD usualy starts 

30 recording usage when activated and terminates when the PSO finishes. The preferred method in a multitasking 

31 environment where usage is timed is to generate an internal interrupt within secure microprocessor on a periodic 

32 basis, and said interrupt activates a routine withm internal secure 

33 counter of the system microprocessors^ this with ^ ad dress ma p g wiw^ *y 

34 the PSO to determines which program was executing during the imemipi The mvenrirm aii/wg fWr any «yimhmarinn 

35 and or permutation and or weighting for usage of any one or multiple PSOs. Event usage may only require counting 

36 oomcuces of the measured event in single and multitasking UCDPS. The usage of PSOs is usually recorded in part 

37 or whole within secure internal memory, however, the invention allows that part or all of the information on the use 

38 of PSOs may be encrypted and stored external to the PCPU and or UCDPS. It is preferable to keep sufficient 

39 information on PSO use internal to the device, in order that a software vendor receives the appropriate payment in 

40 the event that external storage of this information is corrupted, in which case while there may be no 
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1 breakdown of transactions, the vendor is correctly remunerated. The aforementioned p ro cesse s are fr *"*im q»t to the 

2 opttiHiiiig system. An alternative nan transparent mfihod is to nave the 11 th" H'g system perform various routines 

3 during task switching that may activate various processes within the secure internal memory to record details about 

4 program e xe cut ion . Monnation on program usage is usually Trmimamnd in secure non-volanle storage locations 

5 internal to die SPD. The invention allows that a report on s oftwar e usage may be prepared (usually in encrypted 

6 farm, using any nwrtmd and apparatus) far tranmifirinn tn fl service jravirfgr and nr any nthw ^fVrrf^ p^ny m * 

7 periodic basis, that may be any period and may be fixed and or variable; this report is usually generated by secure 

8 routines within one or inorePCP& 
9 

10 rommning er^itim f and or any othgr processing^ of protected software objects: 

11 One objective of die invention is to provide a method and apparatus that may be used to protect software objects in a 

12 manner that does not restrict the copying of the PSO and that in the ptcfeued scenario, would provide at w ommfli 

13 cost, a copy of that particular software obj ect to any user of a UGDPS requiring it. An optimal situation would be the 

14 collation of all PSOs suitable for use with a particular type of UCDPS onto a collection of CD ROMs that may be 

15 supplied 10 users at nominal cost. Update CD ROMs may be made available on a periodic basis. The invention 

16 allows for PSOs to be supplied on any medium and this may tnclnriV, access to a database of PSOs via the Internet 

17 The capacity of a SPD to decrypt externally supplied information in a secure manner that may include realtime 

18 decryption and decryption using software routines within internal secure memory (that may be supported by 

19 hardware decryption engines) together with die method and appa r a tu s to securely encrypt infonnation for transfer to 

20 a service provider (or any other appropriate external party), provides a secure and flexible environment for restricting 

21 the use of a PSO using multiple methods and the invention allows for all of these. At some point in the processing of 

22 a PSO, and usually at the commencement, the SPD may requires certain information ton the PSO of relevance to 

23 determining die type of protection system applied to the PSO, fx example, certain data (or any other method) may 

24 be cM irac t e ri from the PSO to inform the SPD that this particular PSO may be executed on a time used basis and 

25 whether or not fh« is linked to the availability of credit within the SPD. Information on the vendor, and or the 

26 product code of the PSO and usually the amount to charge for a unit of execution time may then be required (and 

27 this information may be required for any other protection systems). One source of this information is the PSO itself 

28 and this information may be extracted by the SPD, using any method and apparatus. The usual process extracts 

29 (using any method and apparatus) the vendor and product code from encrypted parts of the PSO and stares it within 

30 secure memory internal to the SPD. The cost of einranrig (and or any other processing) the PSO on a time and or 

31 event basis and or any odser basis is extracted from the PSO where applicable. Where the known art grants a distinct 

32 right to execute a particular pr o g r am , the SPD grants a generic right to execute as long as certain internal and or 

33 external generic codes match die requirements of one or multiple PSOs. The invention allows that information 

34 containe d within a PSO may not be current as regards exec utio n costs (and or any other information) and provides 

35 for any method and apparatus to compensate for this, with the i* dat e d method being the provision of one or 

36 multiple files located on a suitable mass storage device attached directly and or indirectly to the UCDPS, with said 

37 files icfeicmcd in this document as Current Data Files (or CDF). CDF may be updated as required using any 

38 method mrf ttppamm* (mrfmtiwg mttomarir npdnie nsmg mfntmnrinn wntaiiH in nw/ly PSOc) Acunent 

39 data file may contain any information, and may replace part at least of that within a PSO, however, it will usually 

40 include details of the costs a ssociate d with eiecnnn g PSOs (that may be all, or a subset of, the available PSOs), and 
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1 this may include mfannatai on discounts for frequency and or quantity and or special groups and or special 

2 promotions and or any other mfonnation. A CDF may have a creation date and or one or multiple blocks of 

3 infonnanmpenainh^ 

4 anequivalemresuk)saidm When a PSO is cxwued, fce d^ 

5 any other method and apparatus to effea an equivalent result) is usually included within the PSO and when a PSO 

6 is rxocessed\ the date within the PSO may be compared to that within the CDF tff present), with the more recent 

7 mfamaticm preferably us^ 

8 including protection against tampering with the infonnation. Various validity checks may be performed when 

9 information within a CDF is loaded and or used (this may be for any reason including detecting unauthorised 

10 alterations to the infonnation). When an SPD generates a report for the service provider (or any other authorised 

11 party) it may include hifonnation on the currency of infonnation within a particular CDF t and or the absence of a 

12 GDF, and or the creation dates of the PSOs executed. It may be that a user knows that access to a particular CDF by 

13 the SPD may result in increased costs to the user than would be incurred, by referencing the billing mfonnation in 

14 actual PSO * and said user may be reluctant to update their current CDF and or may delete the CDF (the 

15 invention allows that the presence of at least one CDF is required). The invention allows for any method and 

16 apparatus that may be used to circumvent this potential problem, inornfling the service provider adjusting billing to 

17 reflect current charges (or any other reason). 
18 

19 The preferred protection system is applicable to PSOs that are permitted to operate within a UCDPS on an 

20 unrestricted basis, as long as certain criteria are met: 

21 • the PCPU and or any other PCPU has sufficient credit programmed into the device (using any method and 

22 apparatus) to cover the costs incurred by the user in executing the PSO, and or 

23 • the use of each PSO is logged and this may be time based and oar event based and or any other method and 

24 apparatus that requires periodic reports on software use and or any other information to be provided to an 

25 appropriate external party. 
26 

27 The invention allows that PSOs may be used on a time and or events basis and thai this may require the availability 

28 of credu within the SPD and or may not require the availability of said credit, in which case the user would usually 

29 be billed for use of software after providing a periodic report to the service provider. As the PSO is used, the 

30 appropriate units of usage (that may be time and or monetary and or any other token) are progressively adjusted 

31 agairm a pmicular vendor/^ code (and or any other method). When available credit is progressively utilised 

32 in association with the use of one or multiple PSOs, the amount of available credit to tte user is decremented. The 

33 credit units within a SPD may represent any token and or currency, using any method. The irxvention allows for any 

34 method and apparatus to secureley store this information and this may be internal and or external to the SPD. A 

35 number of method steps were described earlier for transferring credit to a particular SPD, and a similar method is 

36 used for supplying a service provider with mfonnation about PSO usage, and far the service provider to inform the 

37 SPD that tlusinfcmn^ 

38 and apparatus is allowed for. For PSO^ 

39 a user may be required to provide a report when available credit within the SPD is zero and or some other 

40 predetennined amount and or the user may be required to report information to me service provider on a periodic 
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1 Hie invention allows that a user who has purchased in part or whole one cr multiple PSOs and or earned frequency 

2 discounts cm one or multiple PSOs and or any other reason, may wish to port these to n mfrrr SPD for any reason, 

3 including that the user has purchased a new machine and or because the user wishes to gdl part nr all nf my ir nrr est 

4 in one or multiple PSOs to another user. The invention also allows that one or multiple PSOs may not offer this 

5 facility. The invention allows that there are multiple known nw^frods and apparanxs for achieving this including, the 

6 preferred option that may involve the following method steps : 

7 1) the user activates a program to reverse various capabilities granted to a particular SPD, for example activation 

8 codes and or discount schedules. This would usually initiate a menu type screen on the display device, using the 

9 method previously described, of the UCDPS to assist the process. 

10 2) the user nominates those PSOs that are to have part or all rights of use transferred to another SPD. 

11 3) the program may change various internal locations and may change various external locations such tH^t existing 

12 rights are no longer valid on the SPD. 

13 4) encrypted information is supplied id the service provider mdirstpn^ that various access rights to one or multiple 

14 PSOs have been modified, and the encrypted information (using any m£ tN>d and apparatus) is decrypted **»d 

15 verified for validity* using any method and or apparatus. 

16 5) the user usually informs die service provider of the new SPD that various access rights are to be transferred to. 

17 This may be multiple SPDs. 

18 6) any codes and or discounts and cr new versions of encrypted PSOs are prepared for the nominated PSOs and 

19 supplied accordingly. 
20 

21 User Password; 

22 Certain information is pteuiogrammfri into the PCFU prior to being made available to a user and gnrm» of fofc may 

23 restrict the user of that particular PCPU from various functions available within the PCFU and or available in 

24 various information supplied by a service provider. An example may to restrict users of a pflrT*ruhH* country fr o m 

25 various services. The invention allows that some of these restrictions may be reprogrammable with iufoonati on 

26 supplied by the service provider while other information may be fixed. A user of a UCDPS equipped with a PCPU 

27 may have various restrictions that they want placed on the use of the PCPU and these would normally be 

28 programmable by the nser, and these may mrhirted any approve fimrtirmy nting any tamwn wf tittr? A user may 

29 want a master password for themselves and this would usually be stored within non-volatile storage t*t***>ntg of 

30 system memory, and the correct entry of this may be required to activate the PCPU (in the case of a PCPU the CPUs 

31 within may be disabled). Additional passwords may also be required that allow i™*—* access to the PCPU, for 

32 example, certain passwords may be attached to children to p rev e nt them from using unsuitable software, or certain 

33 employees may be prevented from playing games on their computers during business hours. Certain functions may 

34 also be attached to various passwords, eg. to monitor usage. 
35 

36 Any program and or data that is pieprogiammed into a PCPU may in part or whole be the same as within 

37 other PCPUs and or may in part or whole be unique to other PCPUs. Any piogiam that is currently within secure 

38 memory may caQ on any currently external programs and or data and or apparatus to assist the functions of said any 

39 program. 
40 
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1 ftDtflCtion Of Other fnrmg of mfarTT^fj^ 

2 The present invcmioii also allows for the inclusion of pan or all of the method and apparatus described in this 

3 application when used in conjunction (in any manner) with any secure apparatus (that may be one or multiple 

4 devices) for use in: 

5 the secure decoding of encrypted (in part or whole) video information and or any other encrypted Cm pan or whole) 

6 visual information, and or the secure generation of the necessary signals to display the decoded information on a 

7 suitable visual output device, with said necessary signals preferably constrained within a secure location within said 

8 visual output device and or 

9 the secure decoding of encrypted (in part or whole) sound information and or the secure creation from this decoded 

10 information of the necessary signals to drive a loudspeaker (and or equivalent), with said necessary signals 

11 preferably constrained within said loudspeaker (or equivalent) and or 

12 the secure decoding of encrypted (in part or whole) text as may be the case with electronic books and or newspapers 

13 (and or any other printed matter of umi i ueiua l value that is published in electronic farm) and die secure generation 

14 of the necessary signals to display the decoded information on a suitable visual output device; 

15 tins particularly applies when said secure apparatus securely monitors and or logs (directly and or indirectly) the use 

16 of the encrypted information as it is d e coded and used within said seepm apparatus, a mi or 

17 that inclu des (directly and or indirectly) cm or multiple methods and apparatus to ensure payment is made for said 

18 use. 

19 Any combination of software and or hardware and or microcode may be used to impi^rn™ the method and 

20 apparams, with the pr ef er r ed method and apparatus: 

21 retrieving pricing information from the encrypted infonnaikm; yr»H or 

22 timing the use (and or counting the frequency of use) of said encrypted information; and or 

23 storing this within the secure apparams (that may include secure locations external to the secure apparatus) in non- 
24 volatile storage elements; and or 

25 debiting an amount of electronic funds previously embedded within the secure appaiatus; and or 

26 rooorurag an amount to charge « ariffiffieljSc; antTor 

27 generating a report of usage (preferably with a breakdown for each vendor and or product) that is supplied to the 

28 information provider (and or agent); and or a 

29 system to ensure that said report of usage has been received by the relevant parties; and or 

30 that may disable pan or all of its capabilities in the event that electroni c funds expire and or internal credit limits are 

31 exceeded and or a report is not provided to the relevant parties imrf or yh ff t prfrMtic TTtfmnflfrrn is not Tfcrrved from 

32 said relevant parties; and or 

33 that may be updated with additional electronic funds and or any previously used (or expired) credit limits reset The 

34 encrypted information may be supplied on any machine readable physical media (e.g. CDROM or videodisc) and or 

35 broadcast using any method. 
36 

37 When an external PSO requires to access the SPD, the normal process is to: 

38 a) block interrupts if required and write a command to die system command input port requesting use of the SPO. 

39 b) the process of writing to the port preferably generates an interrupt so there is a rapid response from die secure 

40 microprocessor, otherwise there may be a delay while it is polled. 
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1 c) the secure microprocessor writes to the system command output port a value that mttj eatre if there are currently no 

2 resources and another value if there are resources, together with the address and size erf a user command input and 

3 output part and a user data input and output pare It clears the value written by the system microprocessor into the 

4 system command input port. 

5 d) the PSO reads the information from the system command output port ***** reactivates interrupts. 

6 e) if resources are currently unavailable to the PSO it may enter any known delay routine and try gg*m» later. The 

7 option exists for it to branch to a routine to advise the user mat the multitasking capability of theUCDPS is currently 

8 fully extended. 

9 f) if granted access it saves the a^Mu|ui fljg ngerpnrt mfiynmarjon m an a ccfsstbte frn w fa" a™* "* a y and write tt> 

10 these ports as required. There is no need to disable interrupts when tyy^^g the user pons allocated to it. There is 

11 no requirement to modify the task switching routines qf the UCDPS operating system. 

12 g) if the SPD has granted a PSO access to the SPD then it preferably stores relevant informanon about the PSO user 

13 partition in a known lnrarfan in the system parritkm, usually wifti Sn fmrnflrimi m r>fh«*r ^cfr partitions. 

14 h) the SPD waits until die PSO starts writing information to its user data input port, this may be triggered by an 

15 mterrupt or polling of locations and or arry other method, 

16 i) the SPD transfers the information into the aiiocatpd secure user partition. This may be do ne via the user input 

17 port and or via Direct Memory Access (DMA) or by direct programmed I/O by the secure microprocessor and or 

18 any other method permitted by a particular embodiment of the invention* 

19 ft BSQs usually include various iufoimatinn in anrist rtv. SPT) in wvtirirm tn variolic mrryptinn ami validity rtwMriwg 

20 infOfUihliun ■ 

21 k) various system functions are activated to decrypt and validate where appropriate and extract ether information 

22 relevant to .be PSO. 

23 m) the PSO may be ctetermined to be a valid System Support Object that is required to be loaded into the secure 

24 system partition to addresses rtcOTnrinrrt by any method. The system Support Object may include data and 

25 rfHTUTmndS as to wfaflt met <rf processing iat rarpitrwri mA nr it may rtmtnm wmitohli- tnCTmr^ifirn; m g'ht / *h fay ftw» 

26 secure mi aopioc c Mt or will be directed to execute this p rogr am . 
27 

28 This is usually granted if the SPD currently has ""W^Tt-m resources. This would normally be the case in a single 

29 tasking system, however, in a multitasking enviiuMuent, an PSO may need to wait. Said wait may use any method. 
30 

31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
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1 The daims defining the invention arc as follows: 

2 1 . A method of distributing software obj ects from a producer to a potential user m mp ii yin g the method steps of: 

3 

4 equipping a user controlled data processing system with a secret processing device, and said user controlled data 

5 processing system equipped with said secret processing device is referred to as a PUCDPS, wherein said secret 

6 processing device of said PUCDPS may be configured to be dependent in pan or whole on the coupling of said 

7 PUCDPS far part or all of the time, to cue or multiple remote computers and or any other data processing devices, 

8 however, part or all of said secret processing device may operate and or be configured to operate in a sand alone 

9 PUCDPS and may remain operational for extended periods after said PUCDPS is removed from a source of power 

10 one or multiple times, and or moved to different locations, and or reset one or multiple times, and or any other event- 

11 that would normally disrupt processing on said PUCDPS; 
12 

13 proroiing one or multiple service p 

14 processing device that is required to provide part at least of the services required by one or multiple said PUCDPS, 

15 wherein said service providers are the agents of said producer, 
16 

17 providing a software object; 
18 

19 modifying part or all of said software object such that it is functionally limited to require said PUCDPS for correct 

20 processing On this claim execution and process and p roc essin g are interchangeable and refer to execution of 

21 instructions and or processing of data) and the functional limitation may be Oscar compatible and or may be 

22 Groover compatible and or may use any encryption method able to be reversed in said secret processing device, 

23 furthermore, said functional l i mit at ion may be of one or multiple essential parts of the software object such that it is 

24 not practical to regenerate the original software object from any parts that are not functionally limits and for any 

25 particular functionally limited software object the functional limitation may only be reversed in part or whole by a 

26 specific said secret processings^ a 

27 the f rmcTinna} limitation may be reversed in part or whole on a phmlfty of said secret pmrascmg <win» i A-nti fW I ^ 

28 common characteristics necessary to reverse the functional limitation; and or 

29 modifying part or all of said software object, using any method, such that said software object is securely in 

30 part or whole, using any method , to any one or multiple conditions of use, that in part or whole are not practical to 

31 tamper with and said conditions of use may include any code that identifies the producer of said software object and 

32 or identifies said software object in any way, such that when said secret processing device is used to reverse part or 

33 all of said fu n cti on a l limitation, said secret pr o c e ssin g device may record use of said software object and or the use 

34 of software objects of a particular producer and or any other record that in pan or whole is used in determining 

35 remuneration to the producer and or any other parties and or said conditions of use includes any code that contains 

36 information which may be used by the SPD to determiiK if said software object: 

37 is pe rm i tt ed to execute and or process in part or whole an a units of time used basis, and may nre lv** what fee 

38 should be applied for the use of said software object and said fee may be any unit of measurement and is 

39 preferably a generic units of use basis and said generic units may be attributed any real currency value at any 

40 stage; and or 
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1 is permitted to execute and or process in pan or whole on an events occuuiiig basis, for example the number of 

2 times one or multiple parts of said software object are loaded and or executed and or any other measurable 

3 events basis, and may include what fee should be applied for the use of said software object and said fee may be 

4 any unit of measurement and is preferably a generic units of use basis and said generic units may be attributed 

5 any real currency value at any stage; and or 

6 is pcrrmttfyl to execute and or process on an unlimited basis subject to a fee, and may include what fee should 

7 be applied for the use of said software object and said fee may be any unit of n^aimmem and is preferably a 

8 generic units of use basis and said generic units may be attributed any real c ur rency value at any stage; and or 

9 is prrmittpri id execute and or process on any type of limited basis subject to a fee; and may include what fee 

10 should be applied for the use of said software object and said fee may be any unit of measurement and is 

11 preferably a generic units of use basis and said generic units may be attributed any real currency value at any 

12 stage; and or 

13 requires entry of one or multiple data keys of any type prior to ini tiating use of part or all of said software object 

14 for the first and or any other time on a particular said seem processing device art 

15 fee is to be charged; and or 

16 requires any other restrictions of any type to be placed on use of said software object; and 

17 any said software object modified in part or whole as described is referred to as a Protected Software Object; 
18 

19 providing one or multiple protected software object onto computer-accessible memory media and or any suitable 

20 ap p aratu s for dectnxucaUy transferring said protected software object to a potential user, and preferably the 

21 conditions of use attached to said one or multiple protected software object permit said protected software object to 

22 be used an a time used basis in a FUCDPS with a secret processing device that has sufficient quantity of one or 

23 m nl ripl e said unit of mrasnren i ra t stored within and or securely accessible; 
24 

25 snipping said one or multiple said protected software object on said computer-accessible memory media to a 

26 potential user and or said electronically transferring said one or multiple protected software object; 
27 

28 

29 loading said one or multiple said protected software object into said FUCDPS and executing as permitted by said 

30 conditions of use; 
31 

32 where required by said conditions of use, a user niendly menu system and or any other method provides for the user 

33 to: 

34 request the supply of one or multiple said unit of measurement that may be required by the said secret 

35 processing device for any purpose, and or 

36 receive one or multiple said unit of measurement, preferably in suitably encrypted format, that may use any 

37 method, and transfer said unit of measurement into the said secret processing device, and or accessible to the 

38 secret processing device* and or 

39 request the supply of one or multiple data keys that may be required by the said secret processing device, and or 
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1 receive one or multiple data keys and transfer said data keys into the said secret processing device, and a 

2 flmea&Ibie to said secret pnxr atting device T nsmg my ^ ^ 

3 generate one or multiple reports of software usage and or any other infonnatkm that may be required, and 

4 sop^y said rcpons to said service provider 

as rcyyMiffdi fl^d or 

5 receive one or multiple codes confirming thai said repot has beta received and supply said one or multiple 

6 codes cmfinnmgiinosaM s ccr w and or accessible to said secret processing device, and or 

7 leanest the service provider and or any other authorised parry for one or multiple codes that may be used to 

8 nactivatepmoraUofsaidseatrtprocessmgde^ 

9 receive one cr multiple codes to reactivate part or all of said secret processing device thai may have been 

10 disabled for any reason and transfer said codes into said secret processing device, and or accessible to said 

11 seem processing device, and or 

12 for any of the preceding, the information generated by said PUCDPS and or received from said service provider is 

13 preferably transferred dectronically, however, any other combination of methods may be used including mailing of 

14 coi np u w -anccss ible memory media containing the information. 
15 

16 2.Ametbodofdistril>uttogsd 
17 

18 securely decrypt and execute (in this claim execution and process and processing are j^^if and refer to 

19 execution of instructions and or processing of data) and or process instructions and or securely decrypt and process 

20 data; and or 
21 

22 securely decrypt and execute and or pnxess mstructicos and or seaneh/ o 

23 part or an of the requirements of reversing functional limitations applied that are said Oscar compatible; and or 
24 

25 reverse any functional limitati o n s applied that are said Groover compatible; and or 

26 ' — ' • • •• - — ... .. 

27 icvwac pat or all any functional limitat i on s applying to said protected software object; and or 
28 

29 may decide to reverse one or multiple said functional limitations applied to one or multiple said protected software 

30 objects, based on the said conditions of use said sectary lhuced to said protected 

31 is an autonomous decision, based in part at least, on secure processing of information internal and or external to said 

32 secret processing device, and that as long as said the requirements of one or mnUrple said protected software objects 

33 and or said secret processing device are complied with, the user of a said PUCDPS is able to execute and or process 

34 oi» or mnltiplesam protected software obje^ 
35 

36 transfer too said secret processing device and or transferred arrypm of one or nnuti^ 

37 be necessary to provide any of the functions required bv said rro tecte d sofrware ^j<^ imiior 
38 

39 access any Muiuuuiuu that may be located external to said secret processing device in order to provide any of the 

40 functions required by said protected software object; and or 
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1 

2 examine said conditions of use said securely linked to said protected software object; and or 

3 

4 determine a response to said crmrimnng nf ^ik**, and or 
5 

6 respond to said conditions of use; and or 
7 

8 provide one or multiple area of secure memory that is mnpraoicalm 
9 

10 provide for partition of secure memory into one or multiple secure system partitions and one or mnitipig user 

11 partitions whereby programs in said system partitions may access said user partitions, however, said user partition 

12 may not access said system partition unless mthnrfopri, and car any particular gairj yyjay partition may not a rer ss any 

13 other said user partition unless authorised; and or 
14 

15 may transfer part or all any one or multiple said protected software object and or any other software objects from 

16 unsecure go said secure locations for pro ce s si ng and or transfer any information from said secure location to said 

17 unsecure location; and or 
18 

19 may securely decrypt pan or all of decrypted parts of said protected software object and or any other encrypted 

20 information within said secure locations; and or 
21 

22 may process part or all of one or multiple said protected software object in secrecy, including processing of pan or 

23 all of that information in ^H^rf in encrypted format and decrypted; and or 
24 

25 have the capacity to detect whether pan or all of said protected software object have been tampered with; and or 
26 

27 handle the requirements of a large number of dUTeiem protected software objects that it has not been specifically 

28 preconfignred for while in unsecure locations; and or 
29 

30 may perform secret encryption and or secret decryption in a manner that cannot be analysed, and this may be a 

31 software and or hardware function; and or 
32 

33 have the capacity to implement in pan or whole, one or multiple h ardware devices in programmable logic and 

34 preferably pr o gramm able logic that may be rapidly erased in the event of miipwin e, and this inc tades encryption 

35 and or decryption fu n ct ions implemented in pan or whole in hardware, and hardware functions implemented in 

36 programmable logic may be dynamically programmed by one or multiple protected software object; and or 
37 

38 may use any '"^* |<> 0 to detensine that there is an attempt to tp**** a nrs s id g fic ict infonnation within itself, «wt said 

39 attempt may be physical and or logical analysis, and die response may be any action, using any method, inrinriing 
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1 dialing , temporarily aiul or pe^ 

2 information that may be stored within secure memory storage devices: and or 
3 

4 may securely store information in encrypted and or dear code format in locations inaccessible to im^thmfffj 

5 parties and or securely store information in encrypted format in locations that may be »™»f«iN- to ""authorised 

6 pa rt ies, and may detect tampering with stored information; gnd or 
7 

8 may have the capacity to securely mo n it or the usage of said protected software object; and or 
9 

10 may be loaded with information that is any one or multiple units of use, in any secure format, that may be securely 

11 stored within said secret processing device and or securely in accessible external locations and said units of use may 

12 be used to offset against use of one or mult^saM protected software <*^^ 

13 of use, said units of use may be adjusted in any way as they are used and may be used to credit various said 

14 producer and or said protected software objects and or any other method that can be used to record directly and or 

15 indirectly the payments that are due to various producers and any other interested panics; 
16 

17 may securely record the usage of said protected software object and the record may include a secure breakdown of 

18 the usage on a producer and or product or any other basis, and said record in part or whole is non-volatile; and or 
19 

20 request and or compel the user of said PUCDPS to provide any necessary reports of usage to said service provider 

21 and or to any other location; and or 
22 

23 confirm that said reports that have been received as required; and or 
24 

25 not require modification of the PUCDPS operating system; and or 
26 

27 not require special routines to intercept calls to said system operating system; and or 
28 

29 identify the type of said protected software object aai act as required; aal or 
30 

31 provide or have access to one or multiple ta uipeipiutiL nap-vnifltflft mmr* nf tm+ $rn\ at m\ nr 
32 

33 provide or have access to one or multiple tamperproof timers; and or 
34 

35 provide one or mu lt ip l e method of identifying a particular tamperproof environment that may fof*tt < fr the use of an 

36 electronic signature; and or 
37 

38 provide one or multiple secret codes and or program s that are unique to a particular <mm> mri rrmryrn spv\ <w that 

39 are common across particular K" * i ' f*s and or 
40 
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1 provide one or multiple programs, that may be preprogrammed and or transferred as required that use secret 

2 information unique to said secret processing device; and or 

3 

4 process multiple said protected software object in a multitasking environment and this may be transparent to said 

5 User Controlled Data Processing System; and or 
6 

7 include functions, preferably implemented in reprogrammable secure memory, that may be edited and or 

8 and or deleted and or expanded and or in any other way changed, in a secure manner and usually transparently to the 

9 user of said PUCDPS. enabling externally supplied and appropriately configured said protected software object to 

1 0 adapt the secure processes available to said PUCDPS and create one or multiple applications not currently available 

11 to said PUCDPS and or mat permits anv current application to be dy namicall y adapted, mwi «airf adapt *™ ^ rf ff r 

12 dynamically reprogramming various hardware functions implemented in part or whole with reprogrammable logic 

13 connections and or dynamically modifying decryption processes; and or 
14 

15 are programs and or data preprogrammed into the device and or transferred in encrypted format and or in clear code 

16 that assist any other function that includes the processing of said protected software object; and or 
17 

18 include secure memory that stores various internal system routines and may be loaded with externally supplied 

19 objects for decryption and or execution and or any other purpose; and or 
20 

21 may partition secure memory that forms part of said secure and secret processing system into secure system memory 

22 and secure user memory, wherein pr o gram s within system memory may access those in user memory, however, user 

23 programs may not access system memory on an unauthorised basis, furthermore, said user memory may be further 

24 partitioned into multiple user partitions, wherein each user partition cannot affect information within other user 

25 partitions. 
26 

27 3. A method of distributing software objects according to Claim 1, wherein said not practical may be interpreted as 

28 multiple levels of difficulty depending on the requirements and may be too difficult: 

29 for a normal user, 

30 with disassembly of said parts that are not functionally Hrrritrd, 

31 with attempts at characterising encrypted information in the hope of breaking encryption rnftrKX^; 

32 with attempts at destroying the package to view the information within* 

33 

34 4. A method of distributing software objects according to Qaiml, wherein said Oscar compatible is any functional 

35 limitation of part or all of a software object by any method of encryption, usually at a secure location remote to the 

36 user, where pan or all of the reversal of the encrypted information, by decryption and or any other occurs 

37 within a secure environment directly and or indirectly attached to a user controlled data processing system such that 

38 part or all of the instructions and or data of the soft w are object reconstituted by said reversal are not accessible to 

39 analysis by any unauthorised party and the execution of part or all of said instructions and or the pr o cessi ng (using 

40 any method) of pan or all of said data that is not accessible to analysis by an unauthorised party remains in pan or 
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1 whole inaccessible to analysis by any unauthorised party. Hie result is that pan at least of the functional limitation 

2 placed on a software object is not compromised by the process of using said software object. 

3 

4 5. A method of distributing software objects according to Claim 1, wherein said Groover compatible is any 

5 functional lirnitanon of pan or aUrf 

6 object, usuaUy at a secure location 

7 m ethod, occurs within a secure environment directly and or indirectly attached to a UCDPS such that part or all of 

8 the instructions and or data of the software object reconstituted by said reversal are not accessible to analysis by any 

9 unau t horised party and the execution of part or all of said instructions and or the processing (using any method) of 

10 panorallofsaiddatathatis not accessible to analysis by an imamhorised party remains in part or whole 

11 inaccessible to analysis by ary 

12 on a software object is not coinpromised by the process of using said software object. 
13 

14 6. A method of distributing software objects according to Claim 2, wherein said determine a response to said 

15 conditions may be basedonaptanuity of inform 

16 indu ri ing availability of one or multiple said units of measurement to cfeet against any requirements in said 

17 conditions of use, appropriate entry of any data key, compliance with reporting requirements, validation of said 

18 conditions of use supplied with said protected software objects against appropriate values stored within said secret 

19 processing device. 
20 

21 7. An apparatus for dismlmting software objects, referenced a secret processing device, that may in part or whole be 

22 integrated into the same integrated circuit ( and or directly and or indirecdy linked) as the system microprocessor of 

23 said user controlled data processing system, and preferably does not interfere with the normal functions of said 

24 system microprocessor, the secret processing device' may also form an integral part of a muluprocesssor system 

25 microprocessor, part or all of said secret processing device may be integrated into any one or multiple devices 

26 external to said system microprocessor and attached directly and or mdirectly to said user controlled data processing 

27 system; 
28 

29 said secret processing device includes one or multiple secure microp r o cessors and one or multiple blocks of secure 

30 memory storage devices, that ma^ 

31 other functions as described, wherein said secret processing device may: 
32 

33 securely decrypt and execute and or process mstrucoons and or securely decrypt and process and or 
34 

35 securely decrypt and execute and or process abstractions ar^ 

36 part or all of die requirements of reversing fimerinmii iimitati «ic applied that m ^id n^r compatible; am* 
37 

38 reverse any functional limitation s applied that are said flwww mm^^ ip; ^n* 
39 

40 reverse pan or all any functional limitations applying to said protected software object; and or 
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1 

2 may deci de to reverse one or multiple said functional limitations applied to one or multiple said protected software 

3 objects, based on the said conditions of use said securely linked to said protected software objects, where said **™*<* 

4 is an autonomous de c ision , based in part at least, on secure processing of infbnnation internal and cr external to said 

5 secret processing device, and that as long as said the requirements of one or multiple said protected software objects 

6 and or said secret proces sin g device are c omplied with, the user of a said user controlled dam pr uni ng g ygp^n is 

7 able to e xec ut e and or process one or multiple said protected software object on the same basis as if they were said 

8 software object; and or 
9 

10 have die capacity to implement in part or whole, one or multiple hardware devices in programmable logic a n** 

11 preferably pr ogr am mable logic that may be rapidly erased in the event of tampering, and this includes encryption 

12 and or decryption f unction s implemented in part or whole in hardware, and hardware functions implemented in 

1 3 programmable logic may be d yn a mica lly programmed by one or multiple protected software object; znd or 
14 

15 transfer into itself and or has transferred any part of one or multiple information thai may be necessary to provide 

16 any of the Amotions required by said protected software object; and or 
17 

18 acc ess any information that may be located external to said secret processing device in order to provide any of ihe 

19 functions required by said protected software object; and or 
20 

2 1 examine the said conditions of use said securely linked to said protected software object; and or 
22 

23 determine a response to said conditions of use; and or 
24 

25 respond to said conditions of use; and or 
26 

27 provide one or multiple area of secure memory that is not practical to analyse; and or 
28 

29 provide for partition of secure memory into one or multiple secure system partitions and one or multiple user 

30 partitions whereby programs in said system partitions may access said user partitions, however, said user partition 

3 1 may not acce s s said system partition unless authorised, and or any particular said user partition may not access any 

32 other said user partition unless authorised; and or 
33 

34 may transfer part or all any one or multiple said protected software object and or any other software objects from 

35 unsecure to said secure locations for pn M tnra iug and or transfer any information from said secure location to said 

36 unsecure location; and or 
37 

38 may securely decrypt part or all of decrypted parts of said protected software object and or any other encrypted 

39 information within said secure locations; and or 
40 
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1 may process pan or all of one or multiple said protected software object in secrecy, including processing of pan or 

2 all of that information loaded in encrypted format and decrypted; and or 

3 

4 have the capacity to detea whether p 

5 

6 may perform secret encryption and or secret decryption in a manner that cannot be analysed, and this may be a 

7 software and or hardware function; and or 
8 

9 have the capacity to implem ent in pan or whole, one or multiple hardware devices in programmable logic and 

10 preferably programmable logic that may be rapidly erased in the event of tampering and this includes encryption 

11 and or decryption functions imp le m en t ed in pan or whole in hard war e, and hardware functions itn piwrwnt^ in 

12 programmable logic may be dynaxnically programmed by one or nmltiple protected software object; and or 
13 

14 may use any method to determine that there is an attempt to gain access to secret information within itself, and said 

15 attempt may be physical and or logical analysis, and the response may be any action, using any method, ^»»Hrn g 

16 disabling, temporarily and or permanendy, pmoraU of itself and or invalidating in any way pan or all of the secret 

17 information that may be stored within secure memory storage devices; ****** or 
18 

19 may securely store information in encrypted and or dear code format in locations inaccessible to wnrnithm i ^ 

20 parties and or securely store information in encrypted fonnat in locations that may be accessible to ^msmthprised 

21 parties, and may d et ect tampering with stored information; and or 
22 

23 may have the capacity to securely monitor the usage of said protected software object; and or 
24 

25 may be loaded with information that is any one or multiple units of use, in any secure format, that may be securely 

26 stored within said secret processing device and or securely in accessible external locations and said units of use may 

27 be used to offset against use of one or multiple said protected software objects as cteigrmm«l hy rhmr raid c^ryfitiytfy? 

28 of use, said units of use may be adjusted in any way as they are used and may be used to credit various said 

29 producer and or said protected software objects and or any other method that can be used to record directly and <x 

30 indirectly die payments that are due to various producers and any other interested parties; 
31 

32 may securely record the usage of said protected software object and the record may include a secure breakdown of 

33 the usage on a pro duc e r and or product or any other basis, and said record in pan or whole is non-volatile; and or 
34 

35 request and or compel the user of said user controlled data processing system to provide any necessary reports of 

36 usage to said service provider and or to any other location; and or 
37 

38 coniixm thai said reports that have been received as required; and or 
39 

40 not require modification of the FUCDPS operating system; and or 
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1 

2 not require special routines to intercept calls to said system operating system; and or 
3 

4 identify the type of said protected software obj ect and act as required; and or 
5 

6 provide or have access to one or multiple tamperproof, non-volatile source of time and or date; and or 
7 

8 provide or have access to one or multiple tamperproof timers; and or 
9 

10 provide one or multiple method of identifying a particular tamperproof environment that may include the use of an 

11 electronic signature; and or 
12 

13 provide one or multiple secret codes and or programs that are unique to a particular secure g mimmn gnf and or that 

14 are common across particular groups; and or 
15 

16 provide one or multiple programs, that may be preprogrammed and or transferred as required that use secret 

17 information unique to said secret processing device ; and or 
18 

19 process multiple said protected software object in a tmiiri firing environment and this may be transparent to said 

20 User Controlled Data Processing System; and or 
21 

22 in c lud e functions, preferably implemented in reprogrammable secure memory, that may be edited and or moditel 

23 and or deleted and or expanded and or in any other way changed, in a secure manner and usually transparently to the 

24 user of said PUCDPS, enabling externally supplied and appropriately configured said protected software object to 

25 adapt the secure processes available to said PUCDPS and create one or multiple applications not currently available 

26 to said PUCDPS and or that permits any current application to be dynamically adapted, and said adapt includes 

27 dynamically reprogramming various hardware functions implemented in part or whole with repr o g ra m mable logic 

28 connections and or dynamically modifying decryption processes; and or 
29 

30 are programs and or data preprogrammed into the device and or transferred in encrypted format and or in clear code 

3 1 that assist any other function that includes the p ro c e ssin g of said protected software object; and or 
32 

33 include secure memory that stores various internal system routines and may be loaded with externally supplied 

34 objects for decryption and or execution and or any other purpose. 
35 

36 8. A method of distributing software objects according to Claim 7, wherein said determine a response to said 

37 conditions may be based on a plurality of inform atirm states within and or external to said secret processing device, 

38 induriing the availability of one or multiple said units of m eas ur e me nt to oSset against any requirements in said 

39 conditions of use, appropriate entry of any data key, ramp»anc» with repot tin g requirements, validation of said 
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1 conditions of use supplied with said protected software objects against appropriate values stored within said secret 

2 processing device. 
3 

4 

5 9. An apparatus for distributing software objects according to Claim 7, wherein said Oscar compatible is any 

6 functional limitation of pan or all of a software object by any method of encryption, usually at a secure location 

7 remote to the user, where pan or all of the reversal of the encrypted information, by decryptian and or any other 

8 method, occurs within a secure environrnent directly and or mdirectly attached to a user controlled data processing 

9 system such that pm or an o^ 

10 acces sibl e id analysis by any u n au thori sed party and die execution of part or all of said instructions and or the 

11 processing (using any method) erf pan or all of said data that is not accessible to analysis by an urjaiithorised party 

12 remains in pan or whole inaccessible to analysis by any unauthorised party. The result is that pan at least of the 

13 fi rncrion a l limitation placed on a software object is not «gnpromised by the process of using said software object. 
14 

15 

16 10. An apparatus far distributing software objects according to Claim 7, wherein said Groover mnpariblc is any 

17 functional lirmtatiraof pan or aH of a software ob^ 

18 object, usually at a secure location remote to the user, where part or all of the reversal erf the deletion, by any other 

19 mfffh o ri , o c curs within a secure environment directly and or mdirectly f»™^fd to user controlled processing 

20 system such that pan or all of the mstructions and or data of the software object reconstituted by said reversal are 

21 not accessible to analysis by any unauthorised party and the execution of pan or all of said instructions and or the 

22 processing (using any method) of pan or all of said data that is not accessible to analysis by an unauthorised parry 

23 remains in pan or whole inaccessible to analysis by any unauthorised party. The result is mat part at least of the 

24 functional limitation placed on a software object is rittcomproniised by the process of using said software object. 
25 

26 itXS^M^'Wc atsffiKm*^ is a 

27 software object that has been reversibly functionally limited to be reversed in pan or whole by functions provided by 

28 said secret processing device. 
29 

30 12 An apparatus for distributing software objects according to Claim 7* wherein said cHiytirtore of use may be a 

31 plurality of conditions securely linked to said protected software object that are extracted in part or whole by said 

32 secret processing device and used to determine whether to reverse the said functional imwtatinnc applied to one or 

33 multiple said protected software object. 
34 

35 13 A method of securely protecting and distributing software objects substantially as herinbefore described with 

36 reference to the drawings. 
37 

38 14. An apparatus for distributing software objects substantially as herinbefore described with i « fi p«i w to the 

39 drawings. 
40 
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1 15. Hie steps, features, compositioas and comp o unds disclosed herein or referred to or *™<«w»h in ibe specification 

2 and/or claims of this application, individually or collectively, and any and all combinations of any two or more of 

3 said steps or features. 
4 

5 
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